From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id UC8cN987dGGjJQEAgWs5BA (envelope-from ) for ; Sat, 23 Oct 2021 18:44:15 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mHy9Mt87dGHbAgAAB5/wlQ (envelope-from ) for ; Sat, 23 Oct 2021 16:44:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ED7E616BC0 for ; Sat, 23 Oct 2021 18:44:14 +0200 (CEST) Received: from localhost ([::1]:54356 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1meK7w-0002qr-6C for larch@yhetil.org; Sat, 23 Oct 2021 12:44:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44706) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1meK7n-0002pP-Sn for bug-guix@gnu.org; Sat, 23 Oct 2021 12:44:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53740) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1meK7n-0003Df-Gu for bug-guix@gnu.org; Sat, 23 Oct 2021 12:44:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1meK7m-00010c-Ct for bug-guix@gnu.org; Sat, 23 Oct 2021 12:44:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#51352: Matterbridge contained a lot of vendored code Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 23 Oct 2021 16:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51352 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Denis 'GNUtoo' Carikli , 51352@debbugs.gnu.org Received: via spool by 51352-submit@debbugs.gnu.org id=B51352.16350074293847 (code B ref 51352); Sat, 23 Oct 2021 16:44:02 +0000 Received: (at 51352) by debbugs.gnu.org; 23 Oct 2021 16:43:49 +0000 Received: from localhost ([127.0.0.1]:37053 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meK7Y-0000zy-N5 for submit@debbugs.gnu.org; Sat, 23 Oct 2021 12:43:49 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:35662) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1meK7V-0000zj-P8 for 51352@debbugs.gnu.org; Sat, 23 Oct 2021 12:43:46 -0400 Received: by mail-wm1-f66.google.com with SMTP id 84-20020a1c0457000000b003232b0f78f8so7610868wme.0 for <51352@debbugs.gnu.org>; Sat, 23 Oct 2021 09:43:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:subject:from:to:cc:date:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=7aqBLoIQip8eA0bWF5ZaH2nn21+qxiftftzfZJbr+8g=; b=glt8RVWRVnizvuMY2g9wXPU6n+KR2PbzDfFtf+610G8fmIr/QBE2xK2mXJecBTZKAo ae58VWx7hMDSYthSfKr1WViWm0sSs0z6I74xC8BMpKMUjbPG/8mC5S/TbE1pyAfvGKpF yG4/rVEJ/ry89hSz6pU3CPBtVUxMpRXWH52yWH2c+QsPPK7/JEaGTvkpIPLhZbY1CJ+w c7oHb/kO6YEz65hKyd8pjIMju0MjYuzKD1uhFQt0q6/7KFLfZ3ovrWAj5eq7kRcHBdcn AWrkT2p0YSvk8QcnxcBr8sK5pqyycU+kjYjfwrbju+3u6My52jU29J8VQ9BxcAp0lL4j EnWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=7aqBLoIQip8eA0bWF5ZaH2nn21+qxiftftzfZJbr+8g=; b=ez4CuA9igqPrtIanIGTJoKZ2KnV8mo7FvDXJ3p7OfOUQR/+jsODCmRQsH5GIFxJMeA PkkxNVam9IbRuyIgYexRw7gOIvtFyfaiAUi3DDW603NrsLijZ2fwx8X4+3gi5J3erqUa V3pJzfau/UpQY2kavoN7xvd/QL2V9h8FzOR842fxmoytH+riaVDN7YizpuVWb8dKae6X wacLGtK6qnSfFH07y/LnTogZPsZmepxga0T5rpgnOU7wa2dlvHrZ2v6YGBQeTXs20wZ6 1BbcmdI4L4Nlt/cHnHQIHWdT4vbXmfbgf7HzBHePgfuBCchEuPMJ/F3VO3ib1OcmG1+K wV1w== X-Gm-Message-State: AOAM533fQk5qng8nJnZBZOJJx3BXCqGPpcCteGw9H1AVJb1ZXV84fBx+ 4Kqp908ZshNM3AF1vHPZM/w= X-Google-Smtp-Source: ABdhPJym6V5borlvby5ne28EP1cDG2vukeoBx3D0HnFkXA37uAs513jaCiARDwhwwq7NhWJwqpUCIw== X-Received: by 2002:a1c:7918:: with SMTP id l24mr7571345wme.137.1635007419533; Sat, 23 Oct 2021 09:43:39 -0700 (PDT) Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id p4sm360757wre.29.2021.10.23.09.43.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Oct 2021 09:43:39 -0700 (PDT) Message-ID: <02da99762b4b0ac01d05e22f974d85737a351815.camel@gmail.com> From: Liliana Marie Prikler Date: Sat, 23 Oct 2021 18:43:37 +0200 In-Reply-To: <20211023165702.1e518f56@primarylaptop> References: <20211023165702.1e518f56@primarylaptop> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mathieu Othacehe Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635007455; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7aqBLoIQip8eA0bWF5ZaH2nn21+qxiftftzfZJbr+8g=; b=W1cM/nLGycxxQrLcbmirrcF881ZmSJiyfFozPxjXUpsQfySZysws5n5dm9rhVHjbaQtb6t ce/tEzeMOQf3rx3ukBYeu+/Oizm2AgM6V/tKs0NIp50FqmiYjD1MDU0KzPcwZfYRTUtbJa NOwWi1kHSsTPPmYp9h5duTGRV2NVsSeseRUTmokM5qFOczGkS4GEa5+JPcHQIM/IZaMMEt vLGnc41O3Mblyg6LT2qQ3oR1UJAdIoUIf/tEqoT7mTcutXw2RkVqE9F/HKmJExv0cc118E 7U35CBNiSf/LIdzRbMu5jA1xS0JvRUBNe5Nh+wutSVhWZUDfn1+Qmp3k/ZTnsw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635007455; a=rsa-sha256; cv=none; b=e1HJmFQup3ZacKggLNDzvYPPMHmJSO52N01OsTmC+WI0Fw84HsbwwszVQOqIiu49vLkATz 4YCjyDuzW5R5gZLvEHIB3yJGYipEMg9M3vJ1b0LZ21kTRqqSZLRCaYfe0mmjmkRpTlGZoo d8sCLCJhYC7nOwsxojZMKZYtNuOOrJXkjBVj48DY05j1p9v9X0H7yYURMux/O097+rAlRd ofT5vlDfPFf+SN9bdWgAVGn2r+9PR7Vg0CIwFQ/CfiNKn5TdLX00h59k4I/anEY30EkCIu FiwzR9BmW91BlMAB14wGbgY/C1hBC9XPoJP/hVKOt7Lz3TrGwzcpt569tZj9Cw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=glt8RVWR; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: 0.17 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=glt8RVWR; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: ED7E616BC0 X-Spam-Score: 0.17 X-Migadu-Scanner: scn0.migadu.com X-TUID: LrN+zqg9V138 Hi, Am Samstag, den 23.10.2021, 16:57 +0200 schrieb Denis 'GNUtoo' Carikli: > Hi, > > When I sent the patch adding matterbridge to Guix, I only notified > that I didn't know if it contained vendored code or not at the last > moment (after the patch was sent, during the discussion about it, and > before it was merged). > > The issue is that I didn't know go at all and more specifically I > didn't know its the compilation system worked. So I managed to create > a package for matterbridge by looking at how it was done for other go > packages. > > After learning more about how go compilation worked, I found out that > matterbridge contained a lot of vendored code. Judging from the original issue, you did note that guideline and that you were unsure about the "under the hood" stuff, which imo should have prompted a closer look. CC'd Mathieu to check whether pushing it regardless was intentional. > And Guix explicitly wants to avoid bundles code. In the "16.6 > Submitting Patches" section of the manual[1], we have: > > 6. Make sure the package does not use bundled copies of software > > already available as separate packages. > And here while most dependencies are not already packaged, some are, > and I guess that I should read between the lines and conclude that > all the matterbridge dependencies should rather be packaged. > > So the question is what should we do about that. > > As I understand with the go build system, or you vendor all > dependencies, or you vendor none, and I've not yet managed to find a > way to workaround that yet in Guix (to do a progressive unvendoring). > > So instead I've started working on unvendoring matterbridge[2] > completely, but if we go this route, there are more than 500 > dependencies. > > To do that I first used the following command: > guix import go -r github.com/42wim/matterbridge > > I then started looking at each package definition that Guix didn't > manage to detect the license of, and I read the licenses to find if > they were free software. All the licenses I read were FSDG compliant. > Usually they had some extra text indicating the provenance of the > code or they would have multiple free software licenses. > > Then I started adding packages for the dependencies that guix import > go didn't manage to find. It's good that you've started. Perhaps you might want to illustrate the dependency "tree" (assuming it is one) or graph to roughly indicate how much needs to be done and at which points we could cut off portions of the DAG to process as batches. > Theses are repositories that are being forked from the official ones > for a reason or another. > > I've not finished that yet, but I still think it was a good idea to > open a bug report as I've now more understanding of the problem. > > Given the huge amount of dependencies I was wondering what was the > best approach here: > - Would it makes sense to remove matterbridge from Guix, or should we > fix it instead? I'll let Mathieu decide that one. > - If we fix it by packaging each dependencies, would it be ok if that > is done step by step, like if dependencies are packaged and patches > for them are sent, without necessarily a way to seriously test if > the packaged dependency work until they are used by other software > (like matterbridge)? Ideally, those packages would at least have a working test suite, but I understand that such concerns are not always valid in the industry :) As noted before, cutting off branches of the dependency DAG at reasonable points and committing them in batches sounds like a good idea to me. No one wants to review a 500 commit bomb. > Also when I'll manage to update matterbridge[3] how should we deal > with such amount of packages? Would I need to send one (generated) > patch for the upgrade of each package? One patch per package, plus one to fix the matterbridge package. > I also guess that sticking as much as possible to what Guix import go > generates would help in situations like that as it would make the > maintenance faster. The importers exist to make your life easier, but they're not omniscient. Please do exercise caution when dealing with them :) Cheers, Liliana