From: Stephen Scheck <singularsyntax@gmail.com>
To: Leo Famulari <leo@famulari.name>
Cc: help-guix <help-guix@gnu.org>
Subject: Re: Build determinism, dependency granularity, and dependency scope
Date: Fri, 27 Nov 2020 14:08:19 -0500 [thread overview]
Message-ID: <CAKjnHz39JmpGfjhTbdEBH7G2U_MOA8CroyfRdVHxFtJVnx79WQ@mail.gmail.com> (raw)
In-Reply-To: <20201125231554.GD2093@jasmine.lan>
On Wed, Nov 25, 2020 at 6:15 PM Leo Famulari <leo@famulari.name> wrote:
>
> No. The way that dependencies are handled in Go-world does concord with
> Guix on a conceptual level — it's definitely possible to have hundreds
> of versions of each Go library — but it's impractical with the current
> Guix tooling.
>
Java-based Guix packages also suffer from this problem (actually, I'm far
more familiar with dependency management in the JVM landscape than for Go,
but the use of granularly versioned and scoped, distributed dependency
models by both languages appears to be similar on the surface).
For example, the `java-log4j-core` Guix package (at version 2.4.1 in the
Guix tree) has a dependency on `java-fasterxml-jackson-core` (at version
2.9.4), but the corresponding Log4j release asserts a dependency version of
2.6.2 in its `pom.xml` [1].
> A good stopgap option is to use vendored dependencies (heresy, I know),
> assuming they are free software and the upstream sources include them.
> This works fine and is better than not having Go software at all.
>
In the case of the Go application I was trying to package, it does not
include vendored dependencies. And I don't have any relationship or
check-in privileges with the project - it is simply something I wanted to
use in an environment with other Guix-sourced packages. Well, I guess it
would be straightforward to fork the GitHub source, run `go mod vendor` [2]
and check in the vendor directory with a specific tag such as
"vx.y.z-guix-vendored". Whether the project maintainers would accept such a
pull request, or if it would be considered bad form to refer to a forked
repository in a Guix package definition instead of the official repo if
not, I don't know.
In the long run, Guix's Go support needs a complete overhaul.
>
Indeed.
[1] https://github.com/apache/logging-log4j2/blob/rel/2.4.1/pom.xml#L177
[2] https://golang.org/ref/mod#vendoring
next prev parent reply other threads:[~2020-11-27 19:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-24 21:20 Build determinism, dependency granularity, and dependency scope Stephen Scheck
2020-11-25 22:39 ` raingloom
2020-11-27 18:38 ` Stephen Scheck
2020-11-25 23:15 ` Leo Famulari
2020-11-27 19:08 ` Stephen Scheck [this message]
2020-11-28 2:30 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKjnHz39JmpGfjhTbdEBH7G2U_MOA8CroyfRdVHxFtJVnx79WQ@mail.gmail.com \
--to=singularsyntax@gmail.com \
--cc=help-guix@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).