From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YMmvA5qrLmFmfQAAgWs5BA (envelope-from ) for ; Wed, 01 Sep 2021 00:22:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mGv4OpmrLmH/UAAAB5/wlQ (envelope-from ) for ; Tue, 31 Aug 2021 22:22:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 273561F07A for ; Wed, 1 Sep 2021 00:22:17 +0200 (CEST) Received: from localhost ([::1]:60058 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mLC92-0006CM-3b for larch@yhetil.org; Tue, 31 Aug 2021 18:22:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48008) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mLC8l-0006Bx-Mj for guix-devel@gnu.org; Tue, 31 Aug 2021 18:21:59 -0400 Received: from xavier.telenet-ops.be ([2a02:1800:120:4::f00:14]:45580) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mLC8i-0007dU-UW for guix-devel@gnu.org; Tue, 31 Aug 2021 18:21:59 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by xavier.telenet-ops.be with bizsmtp id oNMs2500Q0mfAB401NMtkn; Wed, 01 Sep 2021 00:21:53 +0200 Message-ID: <3a88b1abb853f8217e8dcc05810f1fb3f8468004.camel@telenet.be> Subject: Re: packaging go-ethereum, and ultimately bee (of ethswarm.org) From: Maxime Devos To: Attila Lendvai , "guix-devel@gnu.org" Date: Wed, 01 Sep 2021 00:21:37 +0200 In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-H4oUpHuHd6Agnx/J4ZAF" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1630448513; bh=RR+Dy00CKlWtvOHaYh4J9fDygPxRW42EOvPGZ50i/Ag=; h=Subject:From:To:Date:In-Reply-To:References; b=XEUAnDoXQgiiR0qA2aaI9/hOkX3YNHQtTomyL7ttRrqtzKSwBnHfKSs3oD9ngnjV/ lqjvy1NBpY243Nmbteso6Ligim03wnARRX116Z9m2jyIX42bEQKZ1TIKSQxjrXemjI F6FXIlpwBOaXeLD/0qSE9M35RUNFpmGfr90c3bcFY6dkZnDWyf4xFS0FUhK29iWHTo Jsy6tQom++PQWGf80wAOJHWJgRai1Qm9bW2hqkBY54xgJ903HqkVXoI++hGiyYQZS1 PxgIGBWa6Msy4BEPZwJdtfxD//aIbfyzoDtdQ9HM/vYGiZlYyyW/ILWUjjqtdc4jrf 6qorJAaoaFJzA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:14; envelope-from=maximedevos@telenet.be; helo=xavier.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630448537; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=RR+Dy00CKlWtvOHaYh4J9fDygPxRW42EOvPGZ50i/Ag=; b=ZVYkwTUIr66a8UzPf/PPdZUeJ8UgUoDmS9k45C7hWGEGD/y8JezhJ6cw4DYZY/0s8poPZJ 2SoiHTULjv4MptLIEg5dBeMtYjDCHLztBganoMcsxs8QKiDwodFWHlOMPAa4AOB8F4OuXc HxKSWzHDgfH28lYia0Wmf4v0qldcQaKQ43HYU3JjWQQ3RR88h7j8GdDU+A8BDqeB4KTf96 H/zdF6ohfrZTpi1ejWoUNxVn0bNODXaxz1Xxhel7mKzXY73/HARZIUAJIZh3Yh17s3KEzt f/O8uSo/Lnr4wpMMIqYslSf7CimOawIc6fNFWA3gHW513bKKdcCqqoByR5Ew+g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630448537; a=rsa-sha256; cv=none; b=s0bVXZ9f6AHvWspyZxEHXJPvQWFDThbEvwXsz5fhMovq8OiYEdBqxuKd/yklHuhTikGnHx XnhbBxWtN+8I3JmZ823ezuhOAyM4O6CwG+GlrngewjmjcR5+aD7+qVpYBuX9C+qBEa9caO qu9Q8aaVLWTtMa7xanWMLw/yVKSh5O8c9QI2yPXjBn82bnM2qjASD5+zpjFbHLU3ofyHzw Ao2kMx2znXfepA13ABQkUn6zVR0mRs+8jpRCGKU/Cw6FnhooUDzQu/4m5XfWXa+q81ytBw 6TcIOVHrDwNX3x8mleiszb3f+Igif/VYhJ78D5TWpfRY72lMUNvjComIObjtVg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=XEUAnDoX; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.22 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=XEUAnDoX; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 273561F07A X-Spam-Score: -5.22 X-Migadu-Scanner: scn0.migadu.com X-TUID: K/msWYu/VgSk --=-H4oUpHuHd6Agnx/J4ZAF Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Warning: I haven't actually ever touched a go package. Take my mail with a huge grain of salt. Much of this you've probably already heard at . Attila Lendvai schreef op ma 30-08-2021 om 21:52 [+0000]: > [...] > so, regarding go-ethereum, i've seen this: >=20 > https://issues.guix.gnu.org/43872 >=20 > the initial conclusion was that the proper way to package a go project is= to package the pinned transitive > closure of every dependency. there's a go importer now, which is function= al/hackable enough that this is not > a hopeless task, but... i'm doubtful that it's a good idea to multiply th= e number of Guix packages by such an endeavor... :) This situation doesn't seem all that different from, say, importing 'evolut= ion' (a GNOME e-mail program) in the hypothetical situation that guix doesn't ha= ve any GTK or GNOME library already packaged. I don't think you have to worry about adding many guix packages. Presumably, the new guix packages would have uses outside go-ethereum, so they can be re-used as dependencies of new go packages, so over time, having to define many new packages when impo= rting a go application should become less and less of a problem. (About version pinning: I'm ignoring version incompatibilities here. I don= 't know how much of a problem that is in practice ...) =20 Maybe I'm spouting nonsense here though, (gnu packages golang) has been aro= und since 2016, and possibly go-ethereum has much more (indirect) dependencies = than 'evolution'. > then Helio Machado proposed something smarter in a later comment: >=20 > https://issues.guix.gnu.org/43872#3 >=20 > IIUC, he proposes a way to instead use the go module system to download a= ll the dependencies, > and yet authenticate all the downloaded go code. (Parts of what I write below is written in the manual (guix)Submitting patc= hes, search for =E2=80=986. Make sure the package does not use bundled copies of= software already available as separate packages.=E2=80=99) One problem with this approach, is that a go package can be using very old = versions (possibly with bugs that have long been fixed in the latest versions, or wi= th security issues) of dependencies without any indication thereof in the package defin= ition, and "guix refresh -t go" and "guix lint -c cve" can't indicate problems (*)= . (*) I don't know if these commands currently work on go packages. Another problem is: if a go package has many (transitive) dependencies, how= do we check that it doesn't contain any malware or non-free components? That = needs to be checked manually, per package. With the status quo (only have one co= py of everything whenever feasible), this only has to be done once per =E2=80= =98go software=E2=80=99 (go module? I'm not familiar with the terminology). But when using somethi= ng like =E2=80=98https://issues.guix.gnu.org/43872#3=E2=80=99, if multiple =E2= =80=98guix go packages=E2=80=99 use the same =E2=80=98go module(?)=E2=80=99, then both variants of the modu= le need to be checked. So to conclude, I don't think this approach can scale safely, and this appr= oach actually seems more work to me. (Also think of network traffic and build times, which would presumably be m= uch increased by this approach. Disk space shouldn't be much of a problem due = to the =E2=80=98content(/store?) deduplication=E2=80=99 feature of guix.) > his work is not merged yet, and i think it's not even ready for merging = yet. >=20 > now, i'm rather motivated to work on this, maybe even willing to use the = go importer > and add countless pinned go packages... but is that desirable? is that th= e ultimate > solution/goal? Using the go importer (in --recursive mode I presume) seems good, but if wi= th "pinned" you mean "multiple versions of the same go module in Guix", I would avoid t= hat if possible, due to the reasons I noted above. If the various dependents of a go package aren't to picky about the exact v= ersion, you could use "guix refresh --type=3Dgo" to update the indirect dependencie= s of go-ethereum. (Note: guix refresh doesn't seem to support go yet.) > or should i wait until Helio's clever hack is merged? or shall i try to = finish up his > hack to be merge-ready? I don't think it will ever be merged as it only works for x86_64 ... > i'd really appreciate some guidance and/or coordination regarding where i= should put my energy. I don't know how Go in Guix will eventually look like, but I'd assume having an updater for go would be uncontroversial, appreciated and useful for packaging go-ethereum. Greetings, Maxime. --=-H4oUpHuHd6Agnx/J4ZAF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYS6rchccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7nxDAQDWeiuvD9TlLzKOVcEWR2R0bxVH XLHmr8dXHfcdpRBnsgEA5M2vBY8NwqEfBIfBgCjk7R2XJFqEJOSV8ds+FxVHdgM= =f10q -----END PGP SIGNATURE----- --=-H4oUpHuHd6Agnx/J4ZAF--