From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:47510) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j1ZT6-00053k-CZ for guix-patches@gnu.org; Tue, 11 Feb 2020 12:37:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j1ZT5-0003DH-7Y for guix-patches@gnu.org; Tue, 11 Feb 2020 12:37:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:51482) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j1ZT4-0003C2-JU for guix-patches@gnu.org; Tue, 11 Feb 2020 12:37:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1j1ZT4-00063H-FT for guix-patches@gnu.org; Tue, 11 Feb 2020 12:37:02 -0500 Subject: [bug#39021] [PATCH] Add Keybase Resent-Message-ID: Date: Tue, 11 Feb 2020 12:36:34 -0500 From: Leo Famulari Message-ID: <20200211173634.GB9442@jasmine.lan> References: <20200107200039.jga75muq7excgpqu@zdrowyportier.kadziolka.net> <20200208002020.GD12194@jasmine.lan> <20200211163654.v5jz5bf7audo7unh@gravity> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200211163654.v5jz5bf7audo7unh@gravity> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Jakub =?UTF-8?Q?K=C4=85dzio=C5=82ka?= Cc: 39021@debbugs.gnu.org On Tue, Feb 11, 2020 at 05:36:54PM +0100, Jakub Kądziołka wrote: > > We strive to avoid using these, but sometimes we do, as in the Docker > > package. It's not really idiomatic to unbundle things in Go. But we need > > to at least make sure all the bundled dependencies are freely licensed. > > Apart from licensing concerns, what are the arguments for splitting this > into separate packages? I feel like this is just busywork... The question of licensing is unrelated to bundling, sorry if that wasn't clear. The only thing you have to do here is make sure they are all freely licensed. To clarify, those bundled dependencies *are* separate packages, developed by different organizations. It's the standard in Guix (and every major GNU/Linux distro) to not allow bundled dependencies because they make the graph of software basically uninspectable and unmaintainable using the distro's normal tools, as well as having the potential to waste time and space building multiple versions of a package if it is bundled in more than one place or already present as its own package. It negates all the advantages of creating a distrubtion, especially for Go binaries, which can be trivially deployed on any system, including Guix, without any extra work. But like I said, it's normal to bundle things in Go land, where there is really no principled concept of dependency management or versioned releases, and as time goes by changes to the Go compiler make it harder and harder to unbundle. I did do it for Syncthing and I can confirm it was a lot of work for no clear benefit. Excepting the standard library, Go libraries do not even get security updates because nobody is looking closely at them.