From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id AJDILpFPwV9sZgAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 27 Nov 2020 19:12:17 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id gDeRKpFPwV+lRAAAbx9fmQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 27 Nov 2020 19:12:17 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 422A8940501
	for <larch@yhetil.org>; Fri, 27 Nov 2020 19:12:17 +0000 (UTC)
Received: from localhost ([::1]:44362 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kijAG-0004Rt-6V
	for larch@yhetil.org; Fri, 27 Nov 2020 14:12:16 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:57918)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <singularsyntax@gmail.com>)
 id 1kij6m-0001Z5-Ts
 for help-guix@gnu.org; Fri, 27 Nov 2020 14:08:40 -0500
Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]:53374)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <singularsyntax@gmail.com>)
 id 1kij6e-0003HH-S7
 for help-guix@gnu.org; Fri, 27 Nov 2020 14:08:40 -0500
Received: by mail-wm1-x32f.google.com with SMTP id p22so5950740wmg.3
 for <help-guix@gnu.org>; Fri, 27 Nov 2020 11:08:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=apV67L7rbAjwWYh3cztHWjSw+hBLxDlPPuZ990+gAes=;
 b=Qv5BCDm4u5B1P0e2hZycRXQB2xacLNUsLRH6ZLy47hVVZ1BoAWBziua5X0ySghAit2
 4RxnljP9b3UhvqI+dI8Euf7mk8aGweexKLqWQ2/yETobggOFagkfktxNUO0QWHq8kEo4
 Sinjq6dL5yaPQxyp/q3l1KPK4JqW9O1HQlwJbrVmV9T3TrtZJA8UeMO7/Jd+s2/rrC+2
 tKZNihQqV66DOaPCZKlBvQPfOK1RdcWDJDM7r/hryF5ha/MwoQSTvXOU0HdN9cLbVz/4
 Of0LtuRDRoPL62+SiV6YYJbj6ecxFFiWa+Oh5MjlnwkdVzfWvvkxyfDi640MQLx6Nas7
 Y+2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=apV67L7rbAjwWYh3cztHWjSw+hBLxDlPPuZ990+gAes=;
 b=jxubR6HKmUYoU4WRHgVSzNbSJjYYQ+opehNFAMU0ODY6HAYZDnOK2Ij6ztY5acWH5J
 DKZxOU9PRum/djQ2FUx5V4gGrn+QkiHEOYgVGrgeGtjPiBwjXSzZdp4XPgAOUqPFfefo
 aztP7AVkR77/SUIFnAj2UF6uvEKMwzD/taFsCnNWml+L2jfpkbIIWa670LlZqIGpX+56
 bgsearLjaHyJB44ZUtN9zs7EHQRIGM45n4F7R/+w/wYH4loXGvfMqPSRjBfdeaQTxRU9
 dlQa5wi0a5BEuMPVj2VP/x+nd+94Z7YEUfdlIumJUnsaLOQgsF6IYJzFt10db7v0G0Xl
 NpKw==
X-Gm-Message-State: AOAM533ivbyxmUE3QYduspxjr+PUBVN/F4OzNWmG9u+rER8R9C2tB/g+
 75kRe3/yQ/Yp8saQKBZB6snNPrfFeADXj3gwZ1aRDbJU/QM=
X-Google-Smtp-Source: ABdhPJwH5SW61+peo9DSkIZttzdkyzJzjxkbGJLiY7+GDKyWsr2WZZD0Tvnw6ulZl3VGZYSSHAuTAsOaakCIHsGNqgs=
X-Received: by 2002:a1c:b104:: with SMTP id a4mr10639908wmf.138.1606504110424; 
 Fri, 27 Nov 2020 11:08:30 -0800 (PST)
MIME-Version: 1.0
References: <CAKjnHz0gOpW8PZj-XUN8OsP1c-CPiSjZjRXrFurKOQWEw56=kg@mail.gmail.com>
 <20201125231554.GD2093@jasmine.lan>
In-Reply-To: <20201125231554.GD2093@jasmine.lan>
From: Stephen Scheck <singularsyntax@gmail.com>
Date: Fri, 27 Nov 2020 14:08:19 -0500
Message-ID: <CAKjnHz39JmpGfjhTbdEBH7G2U_MOA8CroyfRdVHxFtJVnx79WQ@mail.gmail.com>
Subject: Re: Build determinism, dependency granularity, and dependency scope
To: Leo Famulari <leo@famulari.name>
Received-SPF: pass client-ip=2a00:1450:4864:20::32f;
 envelope-from=singularsyntax@gmail.com; helo=mail-wm1-x32f.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix <help-guix@gnu.org>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -1.17
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=Qv5BCDm4;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-TUID: qt4sS4DmEqr3

On Wed, Nov 25, 2020 at 6:15 PM Leo Famulari <leo@famulari.name> wrote:

>
> No. The way that dependencies are handled in Go-world does concord with
> Guix on a conceptual level =E2=80=94 it's definitely possible to have hun=
dreds
> of versions of each Go library =E2=80=94 but it's impractical with the cu=
rrent
> Guix tooling.
>

Java-based Guix packages also suffer from this problem (actually, I'm far
more familiar with dependency management in the JVM landscape than for Go,
but the use of granularly versioned and scoped, distributed dependency
models by both languages appears to be similar on the surface).

For example, the `java-log4j-core` Guix package (at version 2.4.1 in the
Guix tree) has a dependency on `java-fasterxml-jackson-core` (at version
2.9.4), but the corresponding Log4j release asserts a dependency version of
2.6.2 in its `pom.xml` [1].


> A good stopgap option is to use vendored dependencies (heresy, I know),
> assuming they are free software and the upstream sources include them.
> This works fine and is better than not having Go software at all.
>

In the case of the Go application I was trying to package, it does not
include vendored dependencies. And I don't have any relationship or
check-in privileges with the project - it is simply something I wanted to
use in an environment with other Guix-sourced packages. Well, I guess it
would be straightforward to fork the GitHub source, run `go mod vendor` [2]
and check in the vendor directory with a specific tag such as
"vx.y.z-guix-vendored". Whether the project maintainers would accept such a
pull request, or if it would be considered bad form to refer to a forked
repository in a Guix package definition instead of the official repo if
not, I don't know.

In the long run, Guix's Go support needs a complete overhaul.
>

Indeed.

[1] https://github.com/apache/logging-log4j2/blob/rel/2.4.1/pom.xml#L177
[2] https://golang.org/ref/mod#vendoring