From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id AFWsHMlWD2CkCQAA0tVLHw (envelope-from ) for ; Mon, 25 Jan 2021 23:39:53 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YN2BGMlWD2BwHwAA1q6Kng (envelope-from ) for ; Mon, 25 Jan 2021 23:39:53 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 828319402BD for ; Mon, 25 Jan 2021 23:39:49 +0000 (UTC) Received: from localhost ([::1]:44626 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l4BSW-0002c9-8f for larch@yhetil.org; Mon, 25 Jan 2021 18:39:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:43840) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <0x2b3bfa0@gmail.com>) id 1l4BSN-0002c0-6X for help-guix@gnu.org; Mon, 25 Jan 2021 18:39:39 -0500 Received: from mail-qt1-x833.google.com ([2607:f8b0:4864:20::833]:42511) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <0x2b3bfa0@gmail.com>) id 1l4BSL-0001xG-0X for help-guix@gnu.org; Mon, 25 Jan 2021 18:39:38 -0500 Received: by mail-qt1-x833.google.com with SMTP id e15so11034520qte.9 for ; Mon, 25 Jan 2021 15:39:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mntzWKiC2nNhhk3qvwY2QXMN1ZgzBm2QHBCVKRFEvkU=; b=G5duR+WCzVt/rO4VdgiNZjCMpOfysp02LedSvl8hB6cn1IU7Ch2Mxfhy7ud+vp2JC9 KehMO7mdAFrT8yo3DyZ0wEVK1crykHy2K/+EUCNd+VomzoaC+zk6LFN2TfZf0b9lkOAs KpZ9Lci5z3WdBVJHFKZr5ragf+tqKsxG5GSXj5qtzyITLMza1Jc+WfUvA46L4Iub6GsF P/oerFUSSxaz9CFslvY60h7axVhiBDIo2Vav9mFd0u8UyPfo5nzjHK8WJFDvvH40Kbhv o4w77ntVHFlOBEyIa3Ufw45UKfOBbQE8MOYAW1qcwFK8KyCLWQVKQERqvamFf61d85dG JD+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mntzWKiC2nNhhk3qvwY2QXMN1ZgzBm2QHBCVKRFEvkU=; b=mTTOF1vsRm5fqKuKFWGXIRvbTZfCvOISowA5mnFD5TYdH1ljSsrQdKNW+vu/W0IStB 5gUVBC8ogSxq4ez4JWbyJAr+i5tRdrbwW7qPENEnnhstuqaZB/zk2Hy1JOgfUQQKnqpi QqjxMyyzGN8qrBO/eaN5QVEXo7yhVupPGmT5YWId9pUpv4tuvFJntk7UYUlXFUsmKh2M mNgUSOZvFaUTVerMXkDYdonPUOcsezuhxluwoYVR8JVXSCwQXCGCyV5c153mfhYVHZxM 54cGb3zO7fD+lEsvwtnhzDop4PJjP7eKOHS20X1sKhX8v4tJUsp/eAy9eq0YfysL2bzw 7Mhg== X-Gm-Message-State: AOAM532nzQlGdk/4OFkOdv7T8Vi1XphaBoUJD8lqFrMNcvgyl3G9lC4D JA18DxOOqId2fTTuMP1FUkMk5BJ+AlcvwuAChik= X-Google-Smtp-Source: ABdhPJwSIJynuItVFIaqVDXlb+l14A4zdr38OaRKOaiL/o391vFKsRRXOtpyEqvYERiEArFZouroKA41kAO98yqby6o= X-Received: by 2002:ac8:5942:: with SMTP id 2mr2895281qtz.117.1611617975567; Mon, 25 Jan 2021 15:39:35 -0800 (PST) MIME-Version: 1.0 References: <87h7nrud2a.fsf@timmydouglas.com> <4bdbc469-ad45-4739-b001-739ad3a60adc@www.fastmail.com> <87a6thtyvm.fsf@timmydouglas.com> <87bldw0ztb.fsf@timmydouglas.com> <20210125204534.ovhvt7rzj7tbqrnt@fjo-extia-HPdeb.example.avalenn.eu> In-Reply-To: <20210125204534.ovhvt7rzj7tbqrnt@fjo-extia-HPdeb.example.avalenn.eu> From: Helio Machado <0x2b3bfa0@gmail.com> Date: Tue, 26 Jan 2021 00:38:59 +0100 Message-ID: Subject: Re: packaging a golang package To: =?UTF-8?Q?JOULAUD_Fran=C3=A7ois?= Received-SPF: pass client-ip=2607:f8b0:4864:20::833; envelope-from=0x2b3bfa0@gmail.com; helo=mail-qt1-x833.google.com X-Spam_score_int: -17 X-Spam_score: -1.8 X-Spam_bar: - X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Katherine Cox-Buday , "help-guix@gnu.org" Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.25 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=gmail.com header.s=20161025 header.b=G5duR+WC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 828319402BD X-Spam-Score: -1.25 X-Migadu-Scanner: scn1.migadu.com X-TUID: UQSNKCxJ2PhN (Quick note: my patches follow the third approach, not the second) On Mon, 25 Jan 2021 at 21:49, JOULAUD Fran=C3=A7ois < Francois.JOULAUD@radiofrance.com> wrote: > Hello, > > On Sun, Jan 17, 2021 at 02:31:39PM +0100, Helio Machado wrote: > > Looks like it ran into the replace syntax and didn't parse it correctly= ? > > > https://golang.org/ref/mod#go-mod-file > > New version of the patch on https://issues.guix.gnu.org/issue/44178#10 > fixes some of those problems. There is still others bugs left but you > could give it a new try. Git repo with patch applied is available at [6] > > > Guix seems to have a strong opinion about dependency vendoring, but it'= s > > technically viable as long as you don't produce architecture-specific > > artifacts when packaging. See https://issues.guix.info/43872 for more > > information about the pitfalls I encountered while packaging go-ethereu= m > > the fast way. > > It seems to me we have three possible ways to handle Go packaging. > > First is to use vendored dependencies (when upstream provides them). This > one has the merits of simplicity (as we just have to download the > source and launch `go build` or whatever is needed) and less risks of > bugs. The downsides are known: difficult to audit Licences, duplication > of code source, difficulty to follow security bugs, etc. > > Second is to re-vendor package from go.mod (coming directly from code > source or synthetized from source) by creating a source derivation > including all dependencies. This is the strategy followed by Nixpkgs > as explained in [1]. (It seems to me this is the route followed in > the patches to from Helio in [2] but I did not take the time to read > them.) With this approach we still have some of the downsides of using > vendored upstream but it is at least easier to verify the existence > of upstream. > > Third is to package every dependencies. This is the most transparent way > and the one that leads to less code duplication but the downside is the > difficulty to scale with the number of packages (even if the objective of > patch at [3] is to automate it) and the need to have only one reference > version for each package in the distribution which have its own share of > problems (one of them being that we don't use those tested by upstream > as stated in [4]). > > I think Guix should support all three in its tooling to be able to suppor= t > several use-cases. For inclusion of packages in Guix proper we should try > the individual packaging of dependencies and see how it works. Perhaps we > will need exceptions as the one Debian does for Kubernetes [5]. Perhaps > we will need to fallback to vendoring or re-vendoring in more cases but > we will learn as we walk. > > Best regards, > Fran=C3=A7ois > > [1]: https://github.com/NixOS/nixpkgs/issues/84826 > [2]: > https://github.com/0x2b3bfa0/guix-go-modules/commit/5defe897065c5d3e63740= 932b360474132c77877 > [3]: https://issues.guix.gnu.org/issue/44178#10 > [4]: https://github.com/NixOS/nixpkgs/issues/84826#issuecomment-616663815 > [5]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D971515 > [6]: https://github.com/kat-co/guix/tree/create-go-importer