From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 0ASwAol5vV/CYQAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 24 Nov 2020 21:22:17 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id mOYoOoh5vV8+SgAAB5/wlQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 24 Nov 2020 21:22:16 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 632459402A8
	for <larch@yhetil.org>; Tue, 24 Nov 2020 21:22:16 +0000 (UTC)
Received: from localhost ([::1]:54146 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1khflO-0000b4-Ku
	for larch@yhetil.org; Tue, 24 Nov 2020 16:22:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:49688)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <singularsyntax@gmail.com>)
 id 1khfk6-0000NN-ED
 for help-guix@gnu.org; Tue, 24 Nov 2020 16:20:58 -0500
Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]:55603)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <singularsyntax@gmail.com>)
 id 1khfk4-0004GD-7W
 for help-guix@gnu.org; Tue, 24 Nov 2020 16:20:54 -0500
Received: by mail-wm1-x335.google.com with SMTP id x22so264810wmc.5
 for <help-guix@gnu.org>; Tue, 24 Nov 2020 13:20:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=C0W3Xt0MVOu9V96ToNbCwrIbgFEhxtP7jhugpfhMaJU=;
 b=LwifKwiVG5t2s8TqiltCZNR27OQ8dsUzmeSE1iQn02JBt5xTY1q294qOeMGoMcPBbN
 8gWYHWAfMM3/3wMuqtbc7ASltBSIF4fbavB2ZjWUaJEK6tFlqIm0JCWKWwfhKOn7oXSt
 2oRzplmjCL9pkfRbmWoTG2rSN+fevYH2hDzIyWFnVfvePJEihT/lZiO6lD8r0WAeT9Ba
 rujL0uhLC9cGcBXZEu348CvS1aMM9EWUZOvbUAYDUWy0Q2/N3WrsD5E21zc0ijk6m9Ad
 YqgopnDh9SuK92u6bTzaMMdcUfhfEe1CYm/GO7LJy4il/Xak8+5k+qgak2NSPamaFdZU
 HXtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=C0W3Xt0MVOu9V96ToNbCwrIbgFEhxtP7jhugpfhMaJU=;
 b=XOiPzP3VZ/Irs7kfF6xSUaOX0BSe8IwifHbxM/5/PqyCG42chmj3UMex2pCT/eDaaC
 69A8djKy+1ofYLuNuTFPcOJcbYMbcxYQUsfcREtZUXK7RdAwtRO5HYDCtycN6biVWtHc
 pvvJxIOqyWcnoYEWWkAQTKB0tAvlw+DiBMJxBPLddrPSl0r9yfqL3G4iCvKE9spsM6rG
 RNB5sCZY4LxD7yIn423boAj7Q/V08V9jVE2VkV3Di1NkxKIwz192fXGqSrGiKWFRwLcy
 ppvifSIrz42gKKfol+QVveI9ybG8liFSenMpPjr7/yGEfIdSU6mUZwm477+UP5CXX7Gu
 rD2w==
X-Gm-Message-State: AOAM530ztD29WKK2ftuUyBQ3lpaUTIqko0ZHRnWAGGCGQq1JzsXeDaLl
 cCxEMX1LYfIPdZZKsc1+93Yvxqlb2W2/B1aOP/yd6TI2CQc=
X-Google-Smtp-Source: ABdhPJyOwj0sRLub3x7o78lMYLTBd5DuAi3EbBFm54lB7sMVKnW9dzZQlmyQrxsvvf4yULg1Q4pJQQ3SDF5EnUJa/Cs=
X-Received: by 2002:a7b:cd10:: with SMTP id f16mr340263wmj.69.1606252845758;
 Tue, 24 Nov 2020 13:20:45 -0800 (PST)
MIME-Version: 1.0
From: Stephen Scheck <singularsyntax@gmail.com>
Date: Tue, 24 Nov 2020 16:20:35 -0500
Message-ID: <CAKjnHz0gOpW8PZj-XUN8OsP1c-CPiSjZjRXrFurKOQWEw56=kg@mail.gmail.com>
Subject: Build determinism, dependency granularity, and dependency scope
To: help-guix <help-guix@gnu.org>
Received-SPF: pass client-ip=2a00:1450:4864:20::335;
 envelope-from=singularsyntax@gmail.com; helo=mail-wm1-x335.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=LwifKwiV;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: 0.09
X-TUID: pI5fK0OjA7Ny

I have been trying to package an open source application written in Go for
Guix, and along the way as I've come to understand the mechanics better,
I've realized a few things which are a bit disconcerting. I'll refer to the
package for Yggdrasil, as it was recommended to me as a good blueprint to
follow for the project I'm trying to package.

If you take a look at the package definition for Yggdrasil 0.3.15, here are
some of the Golang dependencies:

    (propagated-inputs
       ;; ...
       ("go-golang-org-x-net" ,go-golang-org-x-net)
       ("go-golang-org-x-text" ,go-golang-org-x-text)
       ;; ... )

If you look at the project's `go.mod` file [1], you have:

    golang.org/x/net v0.0.0-20200301022130-244492dfa37a
    golang.org/x/text v0.3.3-0.20191230102452-929e72ca90de

But if you look at the commits for the packages defined in the Guix tree,
they do not correspond. And the `go-golang-org-x-text` package in the Guix
tree (version "0.3.2") does not even meet the minimum version specified in
`go.mod`.

Also, it occurs to me that someone could decide to bump the version for one
of these packages up in the global Guix tree at any time to satisfy the
version requirements of some other package which require a newer version,
but because at the single package level there is only a reference to the
package name but not the version, all dependencies in the tree will be
carried along for the ride (!).

Now, there's nothing preventing someone from defining versioned packages in
the Guix tree, such as a `go-golang-org-x-text-929e72ca90de`, and referring
to those in dependent packages, but in practice that doesn't seem to be
done and most packages appear to have only one version, except for some
things like major language/platform versions (e.g. openjdk).

Am I missing something here?

It seems like what is needed would something like a package-scoped
"dependency constructor", allowing you to declare required versions
per-package:

    (propagated-inputs
       ;; ...
       ("go-golang-org-x-net" (go-module "golang.org/x/net" "244492dfa37a"))
       ("go-golang-org-x-text" (go-module "golang.org/x/text"
"929e72ca90de"))
       ;; ... )

[1] https://github.com/yggdrasil-network/yggdrasil-go/blob/v0.3.15/go.mod