From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by mx.groups.io with SMTP id smtpd.web09.9590.1617976418220370452 for ; Fri, 09 Apr 2021 06:53:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=kbOHWkYu; spf=pass (domain: gmx.de, ip: 212.227.17.21, mailfrom: juergen.landwehr@gmx.de) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1617976416; bh=9llIqQob+eMPS53yhzbr4deBUTr6rQgQWi0trWRm9cs=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=kbOHWkYustTrOpPSRwHVi1Q6kAsC9fCcChuR+qJy063VkUUcX+Cssw8igTibh/Tsb vKle7i9a/zJyP074/5bj6txfSawHaN3p/kkR7SrUcAEbb1jCUgzzftbv2FIUf21fB/ V5FeJGLbJLPYAmdGuiP4LWi8nXOY0KDXhTx0DRr8= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [46.223.148.168] ([46.223.148.168]) by web-mail.gmx.net (3c-app-gmx-bap62.server.lan [172.19.172.132]) (via HTTP); Fri, 9 Apr 2021 15:53:35 +0200 MIME-Version: 1.0 Message-ID: From: juergen.landwehr@gmx.de To: yocto@lists.yoctoproject.org Cc: alexander.kanavin@daimler.com, raj.khem@gmail.com Subject: #golang: go fetches dependencies in compile phase Date: Fri, 9 Apr 2021 15:53:35 +0200 Importance: normal Sensitivity: Normal X-Priority: 3 X-Provags-ID: V03:K1:Wei6Nl0vbN6TdpPsmdMLn6R/a9DWJ4LUFPfgoIcRxbeE8vuuaqM82P+qmrNtyUvOPgTgr kr0Q5UmCXBk9V6yhUVY/huvLt9BrIFhL4c1ppnfPzAOLmqPcpHKxzkwhI3SmZ+N4UWfQg3fvglqG ofnAd9AJM9SZREB3He5ACWLgps/BpY04QeeqNBM8fPvhpW/DqctbzXGv3//sITEoGU2Js6vr1iFg FpBFY8q17H9D1WHv87RHyqZLgTIwRWkrX9LlURqr/jEgVi5BXPr7pMiCfjj/nPrbXUSvgCkRmJ3y MM= X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:HWCd9PujLO4=:JkGLxBQ2GY1ndIO0CzS8ZK pC2WC3CIf/DnSW7GtyWGSF4qWp9nOzmOg3oU64dkKk9FXORRCVo+n7RFpO5XYAtGXsywlGJkT 4rBTndk8jKAIOUsxpZjzBdXhGrZ9z8lYm2olzDGIFbwvtxVgxstKVmiygdosa+WhGJ84QQ5HN pd/gdbf4/G+C/YuWvEbUYuUxYtSFfp6zTqhSuyn9CMY/MTBOFYulNB8v//hSTObDUaZXGfafQ GmpHTBC3hXyJcYjKa60hrAmZhYk4tvq7XJdcfw4Zv224AV3pOhgX7Tc7kzo2ouJJQkiQ0+Auw cd5Oyr0iA+Rqf95mj79YXwinBQWidaWFm9i8H79NKTF1bmJBwqom5sFuUSy6DQDerVEW9Q2v2 anPTW8abFbvorg+mUcET4AGz4YPlJ4xm1E/RnEDknQ05x+ZwurBlxU5I9RUohaN1ibvSdbYxx SJ+W85rkql+IyEn63/xVnWPmRhrIqOBS8VSsxa98fCLs6hD4DJGUr/98PU2/HUDllQAdgizlE 6nrlG16fv/6ATupYbm5iC0uDS+eZkSa8Zn3czvfYxef5xBe3Nj1N++LrJoy1Ob94sZrVV7DBc peX6aF7impOQi0q5lAXHi421ufnliFKIrAx1++R9iSPiOUWEOozMMbsBdXa9r4UXPcShbzwGT daSo03dpwke/CbfLwKExT+IPIyoinjgxuaf6LhcY2+Olfo7lxurOyrxLos3bGwjsk+nrdpxMF kKZWbMXn0Z3I/GPUQp9yxGX4QEjnno3c4TiqLgP68tyD07M/f+FaNWEFvzRfouwuXB4IpZdX0 4JCw763PP4ehnboRNckSxKtzNz9EjijIVweu4J2/e8BirDBD0VZeyfsuW0rsA1l7RCY5CmK1q IWhZyAH9PzxqocAyOMkJkGHXalRzgixZh4xEyPuQzXYZyo3Yrl8t50+4Z3Uet+hGNBeS+11s9 Jsu2b/gsk9Q== Content-Type: text/html; charset=UTF-8
Hi,
 
we are developing an application in go and use the "go-mod" bb-class from poky. This works fine.
 
However, the problem is, that the dependencies in go.mod are now fetched in the compile phase and not in the fetch phase.
 
This is not allowed in our project setup and kind of contradicts the Yocto paradigmn of having a fetch and a compile phase.
 
Is there a way to avoid this or some other solution that we could use?
 
Thanks,
 
Jürgen
From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (EUR01-VE1-obe.outbound.protection.outlook.com [40.92.66.39]) by mx.groups.io with SMTP id smtpd.web09.10999.1617981602401831969 for ; Fri, 09 Apr 2021 08:20:02 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@outlook.com header.s=selector1 header.b=Z9gWfbj9; spf=pass (domain: outlook.com, ip: 40.92.66.39, mailfrom: kweihmann@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FaRh/IameBem1x+8dxa43/vkoHOecYk2nU+QB6fr0dstK3ZABwP+JVnXD4ce8HsBimkcgyh702WJRZTVtus8f61XGGiU5u3JugOkCtKH72GrnyhBwlod/0HbQ1nTS+7BhkJ5eqGM8UPj4LRndiRAL/SDLAO7VMsLiVmHg2xdQAMZ0JrgLmDTNaBWwkp2eFgFYwFHWNGWF41c2jqzg2A+Hz1O+HfCcYlmo59BXgOe8Fg2o59vmhJLTKHCagYRR/kLB51ciccRPLl5/d2OvADNy7A4ABi5cD5Xu0pW69Zxzijw+AV7hpHnEPgxN5Vpk0W9xlhlBrgqwu5iIHd7Pxp2ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gnLnwdWQ8r7Ho5LmaeebpeC1xX+9fIT5PFk1oiXSzuw=; b=J8bHU9tnH4JZU26b22TnaANoKcjZFcmcFvgdF8KQE24UVamO1dxkwDz4lKcXHo8twJk0IlWpdZYPtjvLPENddpMdxLSeN9eNoHt2yBryCWas0T5TLa9QM5YZj4b9Vau/51nOaa5m52hjLxRxjxCpS2UgwdGbAAx4/HUhkA75VuDSvSf9fQAdQfwWfi7w1VelMxXjvqTVrwKvxXsXJ+tubKg0Y4QcdmScITH6efk553nYDnE7lcT108+sdbe2PahEQw3ASnQKL4C6uBtNujFyzpFHOakDHVs9vIQOgNKWQq1ADTeucdpWbunn2JBiuQPyk/y5FutQC6h4GeurwPt6Dw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gnLnwdWQ8r7Ho5LmaeebpeC1xX+9fIT5PFk1oiXSzuw=; b=Z9gWfbj9aN9YEPlxbnIaV2QTlSz9eVTIlzTBLSsaOquIMrn2gNER/dNoAQnKvz2zb+K37xCACUgaR0jrl1lRLicH4BNXPtZwFz+WN1uus2jZcp/OBDyq9pGKjQIl6YPnwr3UYaKFH1kyGKq/0MvGhZQTNCi5tSuU4MNpjotraAttJ9pgvFWxbEeG5mK8WzqRmkFGxx4uCn7fxZHb80MTZPRnCb/wRhywoPtVBY+kgnhdHZzfue10oev6YBUeFwNfxmslrvlYkRqaM3adVVSaRpwyoU+ng9+Z/NVQ2kSNa/3N9vH/Agcmg20K82AzOKbwSCRwxitK+o2hOR1KX1WWUA== Received: from DB5EUR01FT018.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e1a::4b) by DB5EUR01HT187.eop-EUR01.prod.protection.outlook.com (2a01:111:e400:7e1a::317) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17; Fri, 9 Apr 2021 15:19:58 +0000 Received: from AM9PR09MB4642.eurprd09.prod.outlook.com (2a01:111:e400:7e1a::52) by DB5EUR01FT018.mail.protection.outlook.com (2a01:111:e400:7e1a::251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17 via Frontend Transport; Fri, 9 Apr 2021 15:19:58 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:76044CA5913D4D78285C324E0539162CB036C1F0C7C64AB2E1C48DF7AE6C3A42;UpperCasedChecksum:DBE772F9335175C35B10D3ABF4D2BFB42EEF1D1C56C71E8BC3178A32016A2EF4;SizeAsReceived:8694;Count:47 Received: from AM9PR09MB4642.eurprd09.prod.outlook.com ([fe80::35f3:a85d:b2c5:d4b4]) by AM9PR09MB4642.eurprd09.prod.outlook.com ([fe80::35f3:a85d:b2c5:d4b4%4]) with mapi id 15.20.4020.021; Fri, 9 Apr 2021 15:19:58 +0000 Subject: Re: [yocto] #golang: go fetches dependencies in compile phase To: yocto@lists.yoctoproject.org, juergen.landwehr@gmx.de References: From: "Konrad Weihmann" Message-ID: Date: Fri, 9 Apr 2021 17:19:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 In-Reply-To: X-TMN: [9tWbUTdquhhCVwgwJaDeZnv3uvBCUURV] X-ClientProxiedBy: AM5PR1001CA0071.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:206:15::48) To AM9PR09MB4642.eurprd09.prod.outlook.com (2603:10a6:20b:284::24) Return-Path: kweihmann@outlook.com X-Microsoft-Original-Message-ID: <06b668d4-0503-bcdb-ddf2-86d01d00968c@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.188.23] (87.141.85.34) by AM5PR1001CA0071.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:206:15::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.17 via Frontend Transport; Fri, 9 Apr 2021 15:19:57 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 47 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: e1ad07eb-7ad6-4cd5-0ea6-08d8fb6aef93 X-MS-TrafficTypeDiagnostic: DB5EUR01HT187: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EJqePV3D5YZCLPrqLLd7UsShrJghjGaHFhJOyP5IQqxOcMUX6lD4+93NVAsueIescMdIoHxqPB6g66WohxhEwtjlagQ9v8UgGRDbQ0OwKc5/kCUQ9XT4ECMqxU5YvEJMa/MzBW2MgFPCPVuX/dsWfeHbR6iOUcs7Q+hSrXI3tMMOZjPOEj1GdrjtNGk/FDu0j3YYau064FGC2ctvdatZKASB6RNbtaa3iaY+VSFXehcEVwOYLh66wJkzaokicN3fEog9EJ6/pUBBcntIpUK+KupiU7yLXwswheObLuU9bw6yVGLQhVIv3AJ1MbDCdf0mcEvgiYjtHburfJEw4Gy0e93hKUIQgsQxn/Ici1odJ8AewQPF9Dgg9B3NEuKCn9/3RTptUB+ExnVQ8FGch4vvcQ== X-MS-Exchange-AntiSpam-MessageData: ZratgrD7XMlFlRgiFHf4zz2WWdm+Zn40+v8DnRBgncmei2c6EAjfOHW9041nToyj+YzItQPlBVvPOBKwNwjvIi4V3HKziAmMOFPpiVb3qYV3ClQnl5Siv7oQCbIebx7OLZ165V8Hyd2EO1f4GQLXgg== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e1ad07eb-7ad6-4cd5-0ea6-08d8fb6aef93 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Apr 2021 15:19:58.0668 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: DB5EUR01FT018.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5EUR01HT187 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Well AFAIK your observation is correct, go-mod.bbclass doesn't work a in=20 BB_NO_NETWORK-safe manner. What you could do is to provide all the dependencies manually and add=20 them via DEPENDS, which is grant the behavior expected. The bad thing about go is that chances of circular dependencies of go=20 modules are relatively high. I've also seen a few approaches using vendoring to escape this, but I'm=20 afraid none of the code is pretty well tested nor publicly available. If you'd ask me, I would go the long painful road of providing each=20 required go module as a recipe of it's own and inject it into the final=20 recipe - this also makes it pretty visible what you're pulling into your=20 build in terms of licensing a.s.o. On 09.04.21 15:53, Juergen Landwehr wrote: > Hi, > we are developing an application in go and use the "go-mod" bb-class=20 > from poky. This works fine. > However, the problem is, that the dependencies in go.mod are now fetched= =20 > in the compile phase and not in the fetch phase. > This is not allowed in our project setup and kind of contradicts the=20 > Yocto paradigmn of having a fetch and a compile phase. > Is there a way to avoid this or some other solution that we could use? > Thanks, > J=C3=BCrgen From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: #golang: go fetches dependencies in compile phase To: yocto@lists.yoctoproject.org From: "Juergen Landwehr" X-Originating-Location: Stuttgart, Baden-Württemberg, DE (141.113.11.14) X-Originating-Platform: Mac Firefox 87 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 12 Apr 2021 01:30:23 -0700 References: In-Reply-To: Message-ID: <1289.1618216223180826737@lists.yoctoproject.org> Content-Type: multipart/alternative; boundary="Bnnc5atKnGbuXjMjfwjp" --Bnnc5atKnGbuXjMjfwjp Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Konrad, thanks for your reply. It is interesting that you mention vendoring, because we tried this approa= ch as well. We started to develop a "go-mod-vendor.bbclass", which retrieve= s the application source code in "do_fetch_append" and then calls "go mod vendor= ". The big problem was, that in that phase there is not yet a go executable a= vailable for the recipe, so we downloaded our own go version, which makes t= his approach a bit ugly. But there is already a go version installed on the build host, right? In "= poky/meta/recipes-devtools/go" I found a "go-native_1.14.bb" recipe. So can we use this go exectuable somehow by adding a dependency (e.g. DEPE= NDS=3D"go-native") and then use a path to the go exectuable that is guarant= eed to work? The other alternative (defining a recipe for each dependent go module) sou= nds really painful. Especially as we have quite a few dependencies, which h= ave dependencies as well. I see the point, that doing it that way makes it more visible and more Yoc= to like, but thinking about it gives me headaches already :) Thanks again. --Bnnc5atKnGbuXjMjfwjp Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Konrad,

thanks for your reply.

It is interest= ing that you mention vendoring, because we tried this approach as well. We = started to develop a "go-mod-vendor.bbclass", which retrieves the
appl= ication source code in "do_fetch_append" and then calls "go mod vendor".
The big problem was, that in that phase there is not yet a go exe= cutable available for the recipe, so we downloaded our own go version, whic= h makes this approach a bit ugly.

But there is already a go ver= sion installed on the build host, right? In "poky/meta/recipes-devtools/go"= I found a "go-native_1.14.bb" recipe.
So can we use this go exectuab= le somehow by adding a dependency (e.g. DEPENDS=3D"go-native") and then use= a path to the go exectuable that is guaranteed to work?

The oth= er alternative (defining a recipe for each dependent go module) sounds real= ly painful. Especially as we have quite a few dependencies, which have depe= ndencies as well.
I see the point, that doing it that way makes it mo= re visible and more Yocto like, but thinking about it gives me headaches al= ready :)

Thanks again. --Bnnc5atKnGbuXjMjfwjp-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) by mx.groups.io with SMTP id smtpd.web11.29506.1618218015983290694 for ; Mon, 12 Apr 2021 02:00:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=sYiM6tiQ; spf=pass (domain: gmail.com, ip: 209.85.221.49, mailfrom: robert.berger.yocto.user@gmail.com) Received: by mail-wr1-f49.google.com with SMTP id e7so3097707wrs.11 for ; Mon, 12 Apr 2021 02:00:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=FAy/65Ws0QxURhqOa6lL7uc2LBgsIUGyoKzmH18484M=; b=sYiM6tiQxPe7WDKxBbg+687QaqzVYInyyp9CI1Ztap5GbJBy7H/hQj6osjia0lvWOQ yjB+Y/l9EQtGApKTzZUtRUebU/P/jzbFoOE8TA51uouF1uoZbmDFdO8UW2iTyj1oeu0f ioGjnuU6nBWS3HTf9iMGzf/JEl3pAz2zhpUaIUCOlawSEYra5QkvYa/tiAkab6v3rxCc EJ+aJiPP8fsI5qER3C/w+Hr3MHguXeJusEVsqnqS6sN6Q6UYnNAnwM84bATH36uoG+nY eoRMkjmG/8fR/fulvooM9JGPGHlLD4SWWX9TRt0dyCLwTjOcdAR+D/Z/1nkt7OVaJlUj T7eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FAy/65Ws0QxURhqOa6lL7uc2LBgsIUGyoKzmH18484M=; b=JmwyLlifYMVtGbuKMokD3Y9d+tbX246xQMJ04vGQLqtdRiGQcvrrGYtdCpBBaXyBYh mmyPijLGRNFbpAcCRKiQ2ZEDQ7mJnMnmTL/2fMUm911shNhxiPE1L8LxtCF5ZDIZ/xay /0jGo7QxE7b/Nfu14wdqksQwx3PQ1v4gOOHZIcaUM3/JVhTb1WkZSu5TE1Xz7oH3+VRv XNJdtri+gWBi7VvgY+CIYHBY8Smwo9LvIqpbXOb48NRUiSbiBZj23m7kNRjeIsF+FHBX OLqD16fJRUitXLll37o9Py/xQoMp3ijhdFj9zaHYn/8Vvwf+hNqZZL8ip868RstQCkbg 7GTA== X-Gm-Message-State: AOAM531uKAWMafvDv+nGRdUrnOwe+cSAfVKjLKV/yXv2vjNdf2YEW3Oa hG+DKrFccfZtW5ZJP2NZ6fc= X-Google-Smtp-Source: ABdhPJzEWjbDXDXfsunYMFQd2Iz0eFSbiPiNfbssVpwdTRCqESKIN0LwGtp9vSgb+BvQSCwP0mxYQA== X-Received: by 2002:a05:6000:c2:: with SMTP id q2mr19732427wrx.200.1618218014439; Mon, 12 Apr 2021 02:00:14 -0700 (PDT) Return-Path: Received: from [192.168.42.52] (ppp-2-86-147-152.home.otenet.gr. [2.86.147.152]) by smtp.gmail.com with ESMTPSA id m67sm15176270wme.27.2021.04.12.02.00.13 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 02:00:13 -0700 (PDT) Subject: Re: [yocto] #golang: go fetches dependencies in compile phase To: Juergen Landwehr , yocto@lists.yoctoproject.org Cc: alex.kanavin@gmail.com, Khem Raj , kweihmann@outlook.com References: From: "Robert Berger" Message-ID: <8f3535e5-42c0-baf7-ae8b-fca906f33d05@gmail.com> Date: Mon, 12 Apr 2021 12:00:12 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 09/04/2021 16:53, Juergen Landwehr wrote: > Hi, > we are developing an application in go and use the "go-mod" bb-class > from poky. This works fine. > However, the problem is, that the dependencies in go.mod are now fetched > in the compile phase and not in the fetch phase. Alexander (whom you cc'ed here as well) wrote a long time ago on the mailing list[1] about this stuff. We have a couple of issues with those "modern" languages like go, which behave quite differently from good old Unix stuff. So the paradigm on which the whole Bitbake/OpenEmbedded/Yocto system was built does not quite apply for those. Don't get me wrong, you can also do stupidities like git clone via make or cmake, but this is most likely not the way those tools should be used. 1) "Guaranteed __NOT__ reproducible builds"(C) Go pulls in dependencies by itself, which might explain why it's in the compile phase and not it the fetch phase. This leads to many interesting issues, like "guaranteed __NOT__ reproducible builds"(C). The problem is, that you don't have any influence on dependencies of dependencies. Someone changes somewhere a dependency on github and the party starts. 1.1) One sane solution to "please give me always the same input" is what Konrad already mentioned in combination with a local golang proxy. 2) Open Source License Compliance If you pull in all those funny dependencies and also link things statically, like with go, Open Source License Compliance is getting very interesting. People typically just use the license of the top level "main" entry point. In reality you would need to check all the dependency tree for licenses. You should also check if it's legally allowed to combine the licenses and in case it's allowed what are implications of GPLvx, LGPLv2, LGPLv3 without exceptions for your product. [1] https://www.yoctoproject.org/pipermail/yocto/2017-March/035028.html Regards, Robert From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: #golang: go fetches dependencies in compile phase To: yocto@lists.yoctoproject.org From: "Juergen Landwehr" X-Originating-Location: Stuttgart, Baden-Württemberg, DE (141.113.11.14) X-Originating-Platform: Mac Firefox 87 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 12 Apr 2021 04:47:33 -0700 References: <8f3535e5-42c0-baf7-ae8b-fca906f33d05@gmail.com> In-Reply-To: <8f3535e5-42c0-baf7-ae8b-fca906f33d05@gmail.com> Message-ID: <7847.1618228053017471875@lists.yoctoproject.org> Content-Type: multipart/alternative; boundary="RO5QskGs7l4d8YEDFrSo" --RO5QskGs7l4d8YEDFrSo Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Robert, thanks for your thoughts. I see your point and the last thing I want is "NOT reproducable builds". But dependency management in go is not that arbitrary as it may seem. Depe= ndencies and their version is stored in "go.mod". To ensure reproducable bu= ilds, hashes for each dependency and version are stored in "go.sum". Both f= iles are in git and together with a local golang proxy, this should ensure = reproducable builds, right? To ensure that licences are valid and did not change over time, we develop= ed a little tool, that goes through all dependencies and creates the follow= ing output, which we insert into our recipe: LICENSE =3D "Apache-2.0 & MIT & MIT & BSD-2-Clause & BSD-3-Clause & ... LIC_FILES_CHKSUM =3D " \ file://${S}/src/${GO_IMPORT}/vendor/github.com/coreos/go-oidc/LICENSE;md5= =3Dd2794c0df5b907fdace235a619d80314 \ file://${S}/src/${GO_IMPORT}/vendor/github.com/go-playground/locales/LICEN= SE;md5=3D3ccbda375ee345400ad1da85ba522301 \ file://${S}/src/${GO_IMPORT}/vendor/github.com/go-playground/universal-tra= nslator/LICENSE;md5=3D2e2b21ef8f61057977d27c727c84bef1 \ file://${S}/src/${GO_IMPORT}/vendor/github.com/godbus/dbus/v5/LICENSE;md5= =3D09042bd5c6c96a2b9e45ddf1bc517eed \ file://${S}/src/${GO_IMPORT}/vendor/github.com/golang/gddo/LICENSE;md5=3D4= c728948788b1a02f33ae4e906546eef \ ... This is a manual step and whenever dependencies change we have to crea= te this list again and add it to the recipe, but it contains all the requir= ed license information and makes them visible in the recipe. It might pollute the recipe a bit, but luckily we do not have thousands of= dependencies like some npm projects. So I think it is still manageable. An= d is it much less work, than defining a recipe for each dependency. So we would * guarantee reproducable builds * use the programming language (in our case golang) to handle dependency m= anagement * ensure that licenses are visible and correct I mean it is not perfect and still a compromise, but it should work withou= t breaking reproducable builds or causing license issues? What do you think? Regards, J=C3=BCrgen PS: Thanks for the link. I was not aware of this discussion (it is quite a= bit to read:)) --RO5QskGs7l4d8YEDFrSo Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Robert,

thanks for your thoughts.

I see your poi= nt and the last thing I want is "NOT reproducable builds".

But = dependency management in go is not that arbitrary as it may seem. Dependenc= ies and their version is stored in "go.mod". To ensure reproducable builds,= hashes for each dependency and version are stored in "go.sum". Both files = are in git and together with a local golang proxy, this should ensure repro= ducable builds, right?

To ensure that licences are valid and did= not change over time, we developed a little tool, that goes through all de= pendencies and creates the following output, which we insert into our recip= e: 

LICENSE =3D "Apache-2.0 & M=
IT & MIT & BSD-2-Clause & BSD-3-Clause & ...

LIC=
_FILES_CHKSUM =3D " \
file://${S}/src/${GO_IMPORT}/vendor/github.com/c=
oreos/go-oidc/LICENSE;md5=3Dd2794c0df5b907fdace235a619d80314 \
file://=
${S}/src/${GO_IMPORT}/vendor/github.com/go-playground/locales/LICENSE;md5=
=3D3ccbda375ee345400ad1da85ba522301 \
file://${S}/src/${GO_IMPORT}/ve=
ndor/github.com/go-playground/universal-translator/LICENSE;md5=3D2e2b21ef8f=
61057977d27c727c84bef1 \
file://${S}/src/${GO_IMPORT}/vendor/github.co=
m/godbus/dbus/v5/LICENSE;md5=3D09042bd5c6c96a2b9e45ddf1bc517eed \
file=
://${S}/src/${GO_IMPORT}/vendor/github.com/golang/gddo/LICENSE;md5=3D4c7289=
48788b1a02f33ae4e906546eef \
...
This is a manual step and whenever dependencies change we have to create t= his list again and add it to the recipe, but it contains all the required l= icense information and makes them visible in the recipe.

It mig= ht pollute the recipe a bit, but luckily we do not have thousands of depend= encies like some npm projects. So I think it is still manageable. And is it= much less work, than defining a recipe for each dependency.

So = we would
* guarantee reproducable builds
* use the programming la= nguage (in our case golang) to handle dependency management
* ensure t= hat licenses are visible and correct

I mean it is not perfect an= d still a compromise, but it should work without breaking reproducable buil= ds or causing license issues?
What do you think?

Regards, <= br />Jürgen

PS: Thanks for the link. I was not aware of thi= s discussion (it is quite a bit to read:)) --RO5QskGs7l4d8YEDFrSo-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vs1-f54.google.com (mail-vs1-f54.google.com [209.85.217.54]) by mx.groups.io with SMTP id smtpd.web10.31556.1618230075262219964 for ; Mon, 12 Apr 2021 05:21:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dGnrjTn1; spf=pass (domain: gmail.com, ip: 209.85.217.54, mailfrom: alex.kanavin@gmail.com) Received: by mail-vs1-f54.google.com with SMTP id 66so6510327vsk.9 for ; Mon, 12 Apr 2021 05:21:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U7nb9JnsgfLj6YavCiVGowR5k5zMl3xdJhUO0wJFIEI=; b=dGnrjTn1KvOn1zPo75DimleAgndd7m5B7QqW/b3otm1KsGGgEQmqjR+oMx4dxxT1BK Ttast+xgEn6C5RXQeNvsdjcoJRAE8O8WbGUWF82S3sFvuflIN5F0jTicP+e1uZUQrDSk +dWfcwixcvYyNx0MCKnE7yaPLCLxogPEi13+msp58VALELaea5726qSZPTXTbT/GI15Q 3gRhRpjWmmXN3TImO5G/BexxvpSk+q9MWqnOqCLjw911FQZNQWzBflZrh8cqBFOlvX0l P2v2cT824Ti+2vGJom+vBBjFmpIM+q8F8DfcF/g80uplQuNMAdmTnlm6MSSJC3SuMJvW Gxzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U7nb9JnsgfLj6YavCiVGowR5k5zMl3xdJhUO0wJFIEI=; b=LMkUTDtQRDnvBYfzdo4tC2KHr71x5k1r9psJGlbztU59yy9TSNL+OQXtajFRKOqHLC +dw6buhHBbpnU14m9VSG34Dk7vlF8i5btw2ERJXW12J6mHaJ6p+oLDH/EE4/FgcZ2CLy YOsvRxYRGh/t61X3ur+uo5IawTDozHzgqwcdNiSrIVqGHUQripkq5gT2/uoPghgeNHhT eZH+54vAePrOyRrnYskx+IoneHehOG1PiipMe+QiWxhH+pV29U9gUgfx7rBbuLClQClY 2l8zuweJCAh8HPvPoyOCMAcqEYpa3+StK0K3derm8TyuekTiCcIB6RinrQ4NHe8BeX44 Tq6g== X-Gm-Message-State: AOAM530YU5ERWJ9aaJZvY/bF5URaUJC3Og5Eyrh8dKUY7YPJzzNsQml0 IDLY3NI3+F16UymfdFD6trYQM9QGK8rBO0cWmsg= X-Google-Smtp-Source: ABdhPJzw2x435lhxvB+Flt5RvBUvOV/Zj+6qmfIxdkTlLar5DJnNpWQRq6zPLsZ5CGJO2M3bw6Na8+pwPysEhpapU/o= X-Received: by 2002:a67:8c1:: with SMTP id 184mr19097627vsi.31.1618230074370; Mon, 12 Apr 2021 05:21:14 -0700 (PDT) MIME-Version: 1.0 References: <8f3535e5-42c0-baf7-ae8b-fca906f33d05@gmail.com> <7847.1618228053017471875@lists.yoctoproject.org> In-Reply-To: <7847.1618228053017471875@lists.yoctoproject.org> From: "Alexander Kanavin" Date: Mon, 12 Apr 2021 14:21:03 +0200 Message-ID: Subject: Re: [yocto] #golang: go fetches dependencies in compile phase To: Juergen Landwehr Cc: yocto@lists.yoctoproject.org Content-Type: multipart/alternative; boundary="000000000000bf6ba105bfc58c4d" --000000000000bf6ba105bfc58c4d Content-Type: text/plain; charset="UTF-8" On Mon, 12 Apr 2021 at 13:47, Juergen Landwehr wrote: > But dependency management in go is not that arbitrary as it may seem. > Dependencies and their version is stored in "go.mod". To ensure > reproducable builds, hashes for each dependency and version are stored in > "go.sum". Both files are in git and together with a local golang proxy, > this should ensure reproducable builds, right? > Reproducibility means anyone can run a build at any point in the future even if the upstream repositories are gone, so all inputs must be stored in a local download cache, which is the other thing SRC_URI guarantees, in addition to verifying integrity of the inputs. Alex --000000000000bf6ba105bfc58c4d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, 12 Apr 2021 at 13:47, Juergen Landwehr <juergen.landwehr@gmx.de> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">But dependency management = in go is not that arbitrary as it may seem. Dependencies and their version = is stored in "go.mod". To ensure reproducable builds, hashes for = each dependency and version are stored in "go.sum". Both files ar= e in git and together with a local golang proxy, this should ensure reprodu= cable builds, right?

Reproducibility me= ans anyone can run a build at any point in the future even if the upstream = repositories are gone, so all inputs must be stored in a local download cac= he, which is the other thing SRC_URI guarantees, in addition to verifying i= ntegrity of the inputs.

Alex
--000000000000bf6ba105bfc58c4d-- From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: #golang: go fetches dependencies in compile phase To: yocto@lists.yoctoproject.org From: "Juergen Landwehr" X-Originating-Location: Stuttgart, Baden-Württemberg, DE (141.113.11.14) X-Originating-Platform: Mac Firefox 87 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Mon, 12 Apr 2021 07:01:57 -0700 References: In-Reply-To: Message-ID: <7847.1618236117006142456@lists.yoctoproject.org> Content-Type: multipart/alternative; boundary="bULtm5YGULtjxocBwcHG" --bULtm5YGULtjxocBwcHG Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Alex, OK, understood. If the "local download cache path" is well-known (this is not by any chanc= e $DL_DIR?), then we could create a tar from the vendor directory (which is= created when you call "go mod vendor" and contains all the downloaded depe= ndencies) and put this tar file into the download cache. Before actually calling "go mod vendor", we would first check, if there is= a tar file for the vendor directory in the download cache and if so simply= unpack the tar. Does this make sense, or am I too naive and this is just nonsense? J=C3=BCrgen --bULtm5YGULtjxocBwcHG Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Alex,

OK, understood.

If the "local download cac= he path" is well-known (this is not by any chance $DL_DIR?), then we could = create a tar from the vendor directory (which is created when you call "go = mod vendor" and contains all the downloaded dependencies) and put this tar = file into the download cache.

Before actually calling "go mod ve= ndor", we would first check, if there is a tar file for the vendor director= y in the download cache and if so simply unpack the tar.

Does th= is make sense, or am I too naive and this is just nonsense?

J&uu= ml;rgen --bULtm5YGULtjxocBwcHG-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-vk1-f181.google.com (mail-vk1-f181.google.com [209.85.221.181]) by mx.groups.io with SMTP id smtpd.web08.19547.1618237536620373392 for ; Mon, 12 Apr 2021 07:25:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Fko2OQGU; spf=pass (domain: gmail.com, ip: 209.85.221.181, mailfrom: alex.kanavin@gmail.com) Received: by mail-vk1-f181.google.com with SMTP id f11so2886515vkl.9 for ; Mon, 12 Apr 2021 07:25:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BjnBr66mZLY6Rb9zVFj6wjQ3nxbtAPyHrsc9iKkhEoM=; b=Fko2OQGULH2vulLRlo+0cadEDp84v2xh9xhMXCWxyMepHaOZtNoQVzkKujwrFj/0WS uK0A/T4u17I2IFAoLIOe6WIyTUqUy/wCWN56UJ69SUE3iko34UJeJj7vQ9Nf+Q+UzsRq ygcTM3GL4d/OJlYA+i4X2mEbWh0JNCGN28v/zjOn54LHwGXbeuFV7NRoJzx/T9/vL8mV AKtvwUzFCvonMihVr6qs0IR4mTpPEN49FQ9MCfu/kQSBAhQG3VIesNwx2lfgX3UmJXou Ah86IX0zDkEUObsM099hu5GLvQSIO5dLSqsJykjZ+T3KLxOeerMQjS2Edz1x4Bg4tgKO A3tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BjnBr66mZLY6Rb9zVFj6wjQ3nxbtAPyHrsc9iKkhEoM=; b=s/pPP4P0NW3sXRo7BPBV8IoNPt8H7HbVWlWi3728zXH1RVtKHWukJJHpduuKbsA+Zh u2H4W5ZwELkqZ2/zA8G3oSqnbzRuiZwDd6/XI66yzOSzQtn5MkGEOeogMp1JPprzp0m6 dpxiDi3NqHMk8oPW/fc+qPlNL+U1WMUowoXC00EPtD7znZOObENC1dW9v6Kb+5bXOawy EUPd3dU0mLBWsIqp0EpU95hVUu+bGJLb7C2eTEntC4CjV/ce77ixoRaYfUeBa2z0b8Gc uXaoYRQ/O4u8EGQL+mI9TIrVnfeNzFo7rJAQhAqOhZASoQ9Y3xTma3LbH5iA4hOZ2bAj yQQQ== X-Gm-Message-State: AOAM532YMu4W7G3mfwkQLk7D5cHyooOZ0GUAW+7+uWv8h0LE6EBUfg4z mqwfB4QXBOU7psISVSYtVY3Df9uGgVa7w/jrEJc= X-Google-Smtp-Source: ABdhPJxmYDyqtA0jOKsE5g7J/EYWD+bdwN3XF05ZKXwgAJyCZCJVz0Pelr9UP9zamzC1q7GSFbWIQUQ/hZk85ll9QFk= X-Received: by 2002:a1f:4551:: with SMTP id s78mr19998001vka.7.1618237475852; Mon, 12 Apr 2021 07:24:35 -0700 (PDT) MIME-Version: 1.0 References: <7847.1618236117006142456@lists.yoctoproject.org> In-Reply-To: <7847.1618236117006142456@lists.yoctoproject.org> From: "Alexander Kanavin" Date: Mon, 12 Apr 2021 16:24:24 +0200 Message-ID: Subject: Re: [yocto] #golang: go fetches dependencies in compile phase To: Juergen Landwehr Cc: yocto@lists.yoctoproject.org Content-Type: multipart/alternative; boundary="000000000000e9144405bfc745fb" --000000000000e9144405bfc745fb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'd suggest you place that tarball into some artefact storage, and have it listed in SRC_URI. Then the standard Yocto mechanism for fetching, checksumming, caching and unpacking tarballs kicks in, so you only need to make sure the tree is set up correctly after unpacking, maybe with some simple post-processing. Alex On Mon, 12 Apr 2021 at 16:02, Juergen Landwehr wrote: > Hi Alex, > > OK, understood. > > If the "local download cache path" is well-known (this is not by any > chance $DL_DIR?), then we could create a tar from the vendor directory > (which is created when you call "go mod vendor" and contains all the > downloaded dependencies) and put this tar file into the download cache. > > Before actually calling "go mod vendor", we would first check, if there = is > a tar file for the vendor directory in the download cache and if so simp= ly > unpack the tar. > > Does this make sense, or am I too naive and this is just nonsense? > > J=C3=BCrgen >=20 > > --000000000000e9144405bfc745fb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'd suggest you place that tarball into some arte= fact storage, and have it listed in SRC_URI. Then the standard Yocto mechan= ism for fetching, checksumming, caching and unpacking tarballs kicks in, so= you only need to make sure the tree is set up correctly after unpacking, m= aybe with some simple post-processing.

Alex

On Mon, 12 Apr 2021 at 16:02, Juergen Landwehr <juergen.landwehr@gmx.de> wrote:
Hi Alex,

OK, understoo= d.

If the "local download cache path" is well-known (this= is not by any chance $DL_DIR?), then we could create a tar from the vendor= directory (which is created when you call "go mod vendor" and co= ntains all the downloaded dependencies) and put this tar file into the down= load cache.

Before actually calling "go mod vendor", we wo= uld first check, if there is a tar file for the vendor directory in the dow= nload cache and if so simply unpack the tar.

Does this make sense, o= r am I too naive and this is just nonsense?

J=C3=BCrgen


--000000000000e9144405bfc745fb-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.web11.18714.1618428661306970275 for ; Wed, 14 Apr 2021 12:31:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AqrtSH12; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: robert.berger.yocto.user@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id b136-20020a1c1b8e0000b029012c69da2040so3739680wmb.1 for ; Wed, 14 Apr 2021 12:31:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=wZCJxX2/sxHXgE5DuS44YAXQeaFEKpefzgT/Ldl1FzY=; b=AqrtSH12rKBSC3TOaSg3ARUmY1BmuTitxjcKDJvW4g1b4KNTpoYzteHQDwu2xwss5r ggbgUzCXr6w0bVOkOq+8W7RUMzp66QcbpLFISi41/NCg486KV0JdCtzT8LWsi+dqIvUh MzCrqc+nvwcHZO6VrFlv0Z2LnTTuTLY2J+Lc+iKCAoBjWWfjjUEhGU4ttFVC68zVH8w3 1uqun91GoXyB6crCr6/vh7JV59gRCCI5+RVXTpu38taFWx+VsBkvddmsc3ifPiZIOx+1 g7IwrMTwPxPQitoX/85+mhhwJvMkBu2HHJWJ2USoGjpW+0hTPPRLfPGjZYO4dqrTs95K 3Ohw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wZCJxX2/sxHXgE5DuS44YAXQeaFEKpefzgT/Ldl1FzY=; b=LQEZm3q7ZeNKWEnnRPu5ISd7xXA9L8cKUzarAd07b1Wu8cD6zUI2yOoVHXQwyT5CjE DdU771wEt6w67tdSkqJiRSGaEh/JtLqgmb7FF6Fa1/PVBV4KwsT+2NflQnEVTRo2EJQJ u0XLEoFVOap1Rhr0O00ZUDecV1cBGlPL0s0LFTIMh+bZAVFZLArhYsGfoAlbwM+MAnB1 Ts4XARApf/zv1qr9347i+EITNCW7uve1cUQiFmzOaHJDi61WSjUia7M5I6b6ScnVIJui ZyYy3IsA+tpeZdYQQs80OnwbBNCX8rqO+lvzQUEnpLwHDTfCnmy4StJqsCvIY8CxCKyN ye8g== X-Gm-Message-State: AOAM533BW71LlK4AEVonM0/NhP4/kQbsjom0Y2YvCn91KKkQuQ3ul4gm QoYH6/m4WRv+YEO9x4E8F4LwUEBq6tM= X-Google-Smtp-Source: ABdhPJz8Kk6q2HtBl7+Aj3iGfoMqecreIkRSNZVBfO0di8z/ojZKJeSWVztJEL+y2CwoImq514Nayg== X-Received: by 2002:a1c:c910:: with SMTP id f16mr2261538wmb.136.1618428659681; Wed, 14 Apr 2021 12:30:59 -0700 (PDT) Return-Path: Received: from [192.168.42.52] (ppp-2-86-147-152.home.otenet.gr. [2.86.147.152]) by smtp.gmail.com with ESMTPSA id d5sm433446wrx.0.2021.04.14.12.30.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 14 Apr 2021 12:30:59 -0700 (PDT) Subject: Re: [yocto] #golang: go fetches dependencies in compile phase To: Juergen Landwehr , yocto@lists.yoctoproject.org References: <8f3535e5-42c0-baf7-ae8b-fca906f33d05@gmail.com> <7847.1618228053017471875@lists.yoctoproject.org> From: "Robert Berger" Message-ID: <5331e9f9-b681-b550-68c0-8cbc752bba1d@gmail.com> Date: Wed, 14 Apr 2021 22:30:57 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <7847.1618228053017471875@lists.yoctoproject.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Hi, My comments are inline. On 12/04/2021 14:47, Juergen Landwehr wrote: > Hi Robert, > > thanks for your thoughts. > > I see your point and the last thing I want is "NOT reproducable builds". > > But dependency management in go is not that arbitrary as it may seem. ... if everybody does what they are supposed to - which is not the case. > Dependencies and their version is stored in "go.mod". To ensure > reproducable builds, hashes for each dependency and version are stored > in "go.sum". Both files are in git and together with a local golang > proxy, this should ensure reproducable builds, right? This does not sound too bad. This would also mean, that if the outside repo dies you can still build and that you know what's on your proxy. > > To ensure that licences are valid and did not change over time, we > developed a little tool, that goes through all dependencies and creates > the following output, which we insert into our recipe: > > LICENSE = "Apache-2.0 & MIT & MIT & BSD-2-Clause & BSD-3-Clause & ... Here you 1) Totally lost which License comes from which module and I hope 2 times MIT is just a typo. Of course if you are really serious about licensing you should use a tool like fossology, upload all your sources there and inspect them. You will be surprised. There are a couple of tools out there which scan your sources and some which claim to do stuff with golang as well. 2) Do you check if the licenses are compatible? MIT and Apache are compatible: some googling: "Both the Apache License and the MIT license are permissive, so incorporating MIT licensed code into your Apache licensed project is certainly allowed. Just be sure to attribute the original author for the parts your incorporated and include a copy of the MIT License terms, as required by the license." Apache and BSD should also be OK: some googling: "In both of them you must: Include copyright But in Apache, unlike BSD you must: Include License State Changes Include Notice " > > LIC_FILES_CHKSUM = " \ > file://${S}/src/${GO_IMPORT}/vendor/github.com/coreos/go-oidc/LICENSE;md5=d2794c0df5b907fdace235a619d80314 \ > file://${S}/src/${GO_IMPORT}/vendor/github.com/go-playground/locales/LICENSE;md5=3ccbda375ee345400ad1da85ba522301 \ > file://${S}/src/${GO_IMPORT}/vendor/github.com/go-playground/universal-translator/LICENSE;md5=2e2b21ef8f61057977d27c727c84bef1 \ > file://${S}/src/${GO_IMPORT}/vendor/github.com/godbus/dbus/v5/LICENSE;md5=09042bd5c6c96a2b9e45ddf1bc517eed \ > file://${S}/src/${GO_IMPORT}/vendor/github.com/golang/gddo/LICENSE;md5=4c728948788b1a02f33ae4e906546eef \ > ... > > This is a manual step and whenever dependencies change we have to create > this list again and add it to the recipe, but it contains all the > required license information and makes them visible in the recipe. really all? You search through every single file of a go module and it's dependencies? Or just the license text, if there is one? > > It might pollute the recipe a bit, but luckily we do not have thousands > of dependencies like some npm projects. So I think it is still > manageable. And is it much less work, than defining a recipe for each > dependency. > > So we would > * guarantee reproducable builds > * use the programming language (in our case golang) to handle dependency > management > * ensure that licenses are visible and correct > > I mean it is not perfect and still a compromise, but it should work > without breaking reproducable builds or causing license issues? > What do you think? > > Regards, > Jürgen > > PS: Thanks for the link. I was not aware of this discussion (it is quite > a bit to read:)) Regards, Robert > > > >