All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christian Stewart <christian@paral.in>
To: buildroot@busybox.net
Subject: [Buildroot] [RFC PATCH v1 1/1] package/pkg-golang: download deps to vendor tree if not present
Date: Thu, 3 Sep 2020 11:51:57 -0700	[thread overview]
Message-ID: <CA+h8R2pRmhGSc3LsqLNVsYG=rLcD000g7FPtJiZ9_tVTvjrCJg@mail.gmail.com> (raw)
In-Reply-To: <20200903135714.68ed2e22@windsurf.home>

Hi Thomas, Sam,

Thanks much for looking into this, and I'm excited at the idea of
splitting vendor into a separate tarball.

In my mind the optimal approach would be to leverage the Go module
system to produce a tarball with associated hash for every Go module
that's imported by any of the selected Build targets, and vendor
specifically those, excluding all else.

I can write the Go code to do this & prototype a proof of concept if
this is the way we are interested in going. It would be IMO
appropriate because every Go module is checksummed, will produce a
guaranteed identical output tarball that we can add to the hash file,
and the vendor tree would only contain the necessary packages for the
build targets flagged by the buildroot config.

On Thu, Sep 3, 2020 at 4:57 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
> > I took a look at `go mod`, it seems to share a similar mechanism with
> > cargo which allows us to pass local paths for dependencies. My
> > proposition is to put the responsibility of whomever is adding a
> > proprietary application, which has mixed dependencies, to instead
> > split any proprietary modules into selectable options in buildroot,
> > and use the standard depends mechanism. To enforce this, we could
> > investigate using license-coalescing options of the package managers
> > to find any proprietary dependencies and fail if they're found to be
> > pointing to upstream URLs (and would be captured) with an error
> > message clearly describing our intentions.

This fits well with what I'm describing above. The Go code to produce
/ extract the tarballs for the dependency modules and the module
metadata could also be used to produce the license check and legal
output. In fact, we could even generate the upstream URLs from this,
and all other metadata desired (even authors information and a
dependency chart).

> Question: for the dependencies, instead of having a single tarball for
> all of them, would there be a way of having separate tarballs for each
> dependency that gets pulled by "go mod" or "cargo" ? If so, then we
> could perhaps be able to teach the package which parts of the package
> are proprietary (including the proprietary dependencies) and which
> parts are open-source and under which license.

See above.

> Note that as a first step, I am personally perfectly fine with what you
> are proposing. The above question is really just a question, not a
> request to implement something like that.

To me those two are the same, heh.

> I think we have a good opportunity to try to solve this problem for
> both Cargo and Go at the same time, so that we at least see if there's
> a reasonably similar solution that can be used.

Since our host-go infrastructure is now up to par, we can integrate
the tool I'm describing above as a host-go package with no external
dependencies since it would only use the Go stdlib.

Best regards,
Christian Stewart

  parent reply	other threads:[~2020-09-03 18:51 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-31  6:23 [Buildroot] [RFC PATCH v1 1/1] package/pkg-golang: download deps to vendor tree if not present Christian Stewart
2020-08-31  7:08 ` Yann E. MORIN
2020-09-03 10:52   ` Sam Voss
2020-09-03 11:57     ` Thomas Petazzoni
2020-09-03 13:01       ` Sam Voss
2020-09-03 13:58         ` Thomas Petazzoni
2020-09-03 18:51       ` Christian Stewart [this message]
2020-09-03 13:28     ` Yann E. MORIN
2020-09-03 14:02       ` Thomas Petazzoni
2020-09-03 15:12         ` Yann E. MORIN
2020-09-03 16:13           ` Thomas Petazzoni
2020-09-03 19:18             ` Yann E. MORIN
2020-09-03 19:40               ` Christian Stewart
2020-09-03 20:43                 ` Yann E. MORIN
2020-09-03 21:47                   ` Christian Stewart
2020-09-04  8:06                     ` Yann E. MORIN
2020-09-04 16:07                       ` Christian Stewart
2020-09-04 20:25                         ` Sam Voss
2020-09-10 22:33                       ` Christian Stewart
2020-09-15 19:10                         ` Arnout Vandecappelle
2020-09-15 20:08                           ` Sam Voss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+h8R2pRmhGSc3LsqLNVsYG=rLcD000g7FPtJiZ9_tVTvjrCJg@mail.gmail.com' \
    --to=christian@paral.in \
    --cc=buildroot@busybox.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.