From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eI+lG6omv19tEQAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 03:53:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 2OyWF6omv18qPwAAB5/wlQ (envelope-from ) for ; Thu, 26 Nov 2020 03:53:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E620D9400BF for ; Thu, 26 Nov 2020 03:53:13 +0000 (UTC) Received: from localhost ([::1]:35666 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ki8LI-0007U5-TO for larch@yhetil.org; Wed, 25 Nov 2020 22:53:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56654) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki8L3-0007TM-Uj for help-guix@gnu.org; Wed, 25 Nov 2020 22:52:57 -0500 Received: from mx1.riseup.net ([198.252.153.129]:37830) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ki8L1-0004N8-TV for help-guix@gnu.org; Wed, 25 Nov 2020 22:52:57 -0500 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4ChP3c3jPczDr8S; Wed, 25 Nov 2020 19:52:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1606362764; bh=W0ZPPc6zLNZtTOXVQbaVPDE/EnKRHemLnpCbt7hWPnQ=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=dbfBRbPQE4yqDKLKQB1/v03ABBc/bzSUUEVfSP8Lmh+kCUUAspbxJ9yHnLAXuo+hg n2t/U0WNDfgTp9n/o9YZpGsqPr/WNaDeG4YyotyUDc7/Fmc0DiwciVmAZRu3NAFyYr n26A7SoT63yEvGls9ZvdZEJ6VlGdMMVO6ijCbfWI= X-Riseup-User-ID: B4C80D70203CB92AC06B952F5823F4E43876BAB6F74AA9E5F526E3BF9D0803A5 Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 4ChP3b5jfvzJs1s; Wed, 25 Nov 2020 19:52:43 -0800 (PST) Date: Wed, 25 Nov 2020 23:39:05 +0100 From: raingloom To: Stephen Scheck Subject: Re: Build determinism, dependency granularity, and dependency scope Message-ID: <20201125233905.11206dee@riseup.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=dbfBRbPQ; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: kcE7pdiWcw19 On Tue, 24 Nov 2020 16:20:35 -0500 Stephen Scheck wrote: > I have been trying to package an open source application written in > Go for Guix, and along the way as I've come to understand the > mechanics better, I've realized a few things which are a bit > disconcerting. I'll refer to the package for Yggdrasil, as it was > recommended to me as a good blueprint to follow for the project I'm > trying to package. > > If you take a look at the package definition for Yggdrasil 0.3.15, > here are some of the Golang dependencies: > > (propagated-inputs > ;; ... > ("go-golang-org-x-net" ,go-golang-org-x-net) > ("go-golang-org-x-text" ,go-golang-org-x-text) > ;; ... ) > > If you look at the project's `go.mod` file [1], you have: > > golang.org/x/net v0.0.0-20200301022130-244492dfa37a > golang.org/x/text v0.3.3-0.20191230102452-929e72ca90de > > But if you look at the commits for the packages defined in the Guix > tree, they do not correspond. And the `go-golang-org-x-text` package > in the Guix tree (version "0.3.2") does not even meet the minimum > version specified in `go.mod`. > > Also, it occurs to me that someone could decide to bump the version > for one of these packages up in the global Guix tree at any time to > satisfy the version requirements of some other package which require > a newer version, but because at the single package level there is > only a reference to the package name but not the version, all > dependencies in the tree will be carried along for the ride (!). > > Now, there's nothing preventing someone from defining versioned > packages in the Guix tree, such as a > `go-golang-org-x-text-929e72ca90de`, and referring to those in > dependent packages, but in practice that doesn't seem to be done and > most packages appear to have only one version, except for some things > like major language/platform versions (e.g. openjdk). > > Am I missing something here? > > It seems like what is needed would something like a package-scoped > "dependency constructor", allowing you to declare required versions > per-package: > > (propagated-inputs > ;; ... > ("go-golang-org-x-net" (go-module "golang.org/x/net" > "244492dfa37a")) ("go-golang-org-x-text" (go-module > "golang.org/x/text" "929e72ca90de")) > ;; ... ) > > [1] > https://github.com/yggdrasil-network/yggdrasil-go/blob/v0.3.15/go.mod Multiple versions leads to more maintenance burden and a bigger store. But I admit I didn't really investigate which exact module versions Yggdrasil is compatible with.