From: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
To: Konrad Weihmann <kweihmann@outlook.com>,
Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
Khem Raj <raj.khem@gmail.com>,
Alexander Kanavin <alex.kanavin@gmail.com>
Subject: Re: [OE-core] [PATCH] base/patch: Disable network for unpack/patch/configure/compile/install
Date: Mon, 27 Dec 2021 13:54:11 +0100 [thread overview]
Message-ID: <d92dcf7c-604a-2d67-c632-5d093148104e@herbrechtsmeier.net> (raw)
In-Reply-To: <AM9PR09MB4642BDE5CE4D2B51493CC1C1A8409@AM9PR09MB4642.eurprd09.prod.outlook.com>
Hi Konrad,
Am 25.12.21 um 21:43 schrieb Konrad Weihmann:
> What I so far don't really get is why increase in parsing time is such a
> big deal.
> I admit when we're talking about npm it's some kind of a drastic
> increase in recipes one would have to maintain, just because some random
> project decides to use a trillion dependencies instead of writing two or
> three lines of code more.
>
> Still I come to think this might be actually beneficial, as it shows how
> broken npm is from a distribution perspective - as it may be that some
> users actually start to access the situation when they are actually
> aware what monstrosity of a dep tree they are inheriting by just a
> single npm module.
>
> So this is mind - and I don't want to sound radical - I would rather
> abandon npm and go support in core than to sacrifice closing the one
> main loophole in core that is preventing true accessibility at the moment.
> Which is uncontrolled fetching outside of the fetching task, as this
> invalidates everything you will get in the end in terms of licensing,
> quality reports that haven't been done as part of the build and even CVE
> checking becomes pretty much worthless if one is allowed to inject
> random code on the fly into the build - and in the end everything that
> can't be assessed outside of the build is pretty much non-existing for
> most of the assessments I had to work with.
>
> In the past I showed that npm and go can be made to work with these
> principles, even if they would introduce a different way of working and
> maybe the need for better tooling - *but* they can work with how oe-core
> works at the moment - to the expense of parsing time - and that's pretty
> much it from my point of view.
>
> Still the gains outweigh it by far in my opinion, as it would make all
> of that accessible by common tooling already in place - including true
> reproducibility and builtin quality reports.
>
> BTW I don't think rust and therefore cargo is heavily affected by it, as
> the cargo to bitbake scripting works kind in the way I would imagine for
> npm and go too - so far just npm and go are really really bad to handle
> in this case.
>
> I'm happy to help on such scripting and tooling, but I don't see much
> worth in either accepting the fact that "modern languages" have to
> include some not validatable "magic" (which then would mean allowing
> uncontrolled network access) or working around the fact that a trillion
> dependencies is still a trillion dependencies no matter how you put it (
> :) )
I fully agree with you and would be happy to add a 'recursive' option to
devtool / recipetool to create multiple recipes on the fly instead of
one big recipe with more than 100 different projects inclusive duplicate
and different compatible versions.
next prev parent reply other threads:[~2021-12-27 12:54 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-22 23:20 [PATCH] base/patch: Disable network for unpack/patch/configure/compile/install Richard Purdie
2021-12-23 5:28 ` [OE-core] " Alexander Kanavin
2021-12-23 13:12 ` Richard Purdie
2021-12-23 10:49 ` Peter Kjellerstedt
2021-12-23 11:31 ` Konrad Weihmann
2021-12-23 13:11 ` Richard Purdie
2021-12-23 13:19 ` Konrad Weihmann
2021-12-23 14:52 ` Andreas Müller
2021-12-23 15:01 ` Konrad Weihmann
2021-12-23 15:54 ` Alexander Kanavin
2021-12-23 15:11 ` Jose Quaresma
2021-12-24 6:00 ` Khem Raj
2021-12-24 8:30 ` Richard Purdie
2021-12-24 10:36 ` Konrad Weihmann
2021-12-25 19:32 ` Stefan Herbrechtsmeier
2021-12-25 19:41 ` Alexander Kanavin
2021-12-25 20:43 ` Konrad Weihmann
2021-12-27 12:54 ` Stefan Herbrechtsmeier [this message]
2021-12-27 13:22 ` Konrad Weihmann
[not found] ` <16C41A407A5C2599.27787@lists.openembedded.org>
2021-12-25 21:09 ` Konrad Weihmann
2021-12-27 13:38 ` Stefan Herbrechtsmeier
2021-12-27 14:05 ` Alexander Kanavin
2021-12-27 14:54 ` Eero Aaltonen
2021-12-27 15:47 ` Stefan Herbrechtsmeier
2021-12-25 20:58 ` Konrad Weihmann
2021-12-27 13:13 ` Stefan Herbrechtsmeier
2021-12-25 19:41 ` Khem Raj
2021-12-25 19:25 ` Stefan Herbrechtsmeier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d92dcf7c-604a-2d67-c632-5d093148104e@herbrechtsmeier.net \
--to=stefan@herbrechtsmeier.net \
--cc=alex.kanavin@gmail.com \
--cc=kweihmann@outlook.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.