-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Packaging] System package manager-friendly vendoring #111
Comments
Wooah! Firstly, thank you for all the kind words, really appreciate it! Secondly, your points are very reasonable, you convinced me by 110% 😁 From now on I'll vendor for all my go projects Just to be sure that I won't do anything wrong - all I have to do to is to run this? go mod vendor Or there's something extra needs to be done? |
Aww! You so nice, @metafates. And might I add that that's the most frightening GitHub avatar I've seen today. I commend you.
I'm... pretty sure. But I'm uncertain. Python is my backyard. Go is merely where I play on the weekends. If Thanks for being so accommodating, too. What a stunningly beautiful CLI app you've made here. 😮 |
Yep, mangal does not depend on any C code, so I guess that's it. I'll roll vendored version soon. Thank you so much =) |
|
Wow. So much amazing enthusiasm! You make binging manga even more fun, @metafates. As soon as I package |
Haha, okay, I'll be waiting 😁 |
Greetings, glorious
mangal
maintainers! I quietly package awesome software for Gentoo Linux. Becausemangal
is clearly both awesome and software, packagingmangal
for Gentoo is what I am now doing.Except... I can't. Cue sadness cat.
mangal: We Don't Need No "vendor/".
The
mangal
repository (and thus source tarballs derived from this repository) currently omits the top-levelvendor/
directory required to reproducibly build and installmangal
from source.That's usually fine. In the absence of a
vendor/
directory,go
subcommands silently download and cache dependencies listed ingo.mod
into the user-local module cache (e.g.,~/go/pkg/mod/
). Go developers and brave end users manually buildingmangal
from scratch are accustomed to that.That's less fine for foolhardy packagers (such as myself) attempting to package
mangal
for source-based redistribution at the system level. But "source-based redistribution at the system level" is the literal definition of Gentoo Linux. In other words, Gentoo isn't happy. Let's make Gentoo happy.Gentoo: Actually, We Really Need "vendor/".
Most system-level package managers (e.g.,
emerge
under Gentoo Linux) and language-level package managers (e.g., the Swift Package Manager (SPM)) sandbox at least filesystem access for security. Increasingly many also sandbox network access for the same reason. This is where our packaging trouble starts and ends.Since
mangal
omits avendor/
directory,go
subcommands silently:Admittedly, Gentoo can trivially circumvent filesystem sandboxing by just (A) caching to a temporary non-sandboxed work directory while building and then (A) deleting that directory after building. That's fine.
Gentoo cannot trivially circumvent network sandboxing, however. In theory, Gentoo could vendor
mangal
dependencies into a new source tarball that we host and maintain on your behalf... which is the problem. Gentoo ...okay, I mean me doesn't want to host and maintain separate source vendor tarballs for every single Go application in existence.We're lazy and slovenly. Vendoring Go dependencies is non-trivial, error-prone, time-consuming, and anti-fun. Moreover, every single other Linux distribution (of which there are a countably infinite number) would need to reduplicate that same work. This is probably why most Linux distributions that currently package
mangal
sidestep this issue by just redistributing your binary Linux executables. That is what Arch does, for example. But that's bad – or at least fundamentally incompatible with the Gentoo religion.We're zealous fanatics about source-based installation. We couldn't be wrong! 😅
mangal: Yah. We're Still Unconvinced.
Omitting
vendor/
is typically the best practice for Go middleware like libraries and frameworks. Conversely, committingvendor/
is typically the best practice for actual Go applications shipping executable binaries... likemangal
. Sources or it didn't happen, so:mangal: We Still Don't Care.
Very well. I can see that neither the lolcat nor the two blog articles I linked to above have convinced you. In that case, I shall now bludgeon you with verbose words.
There's really only one valid reasons to omit
vendor/
: repository size. But that's not a particularly valid reason in the modern era, because GitHub ...so, Microsoft is what I'm saying is already committed to taking the bandwidth and storage hit on your behalf.There are many valid reasons to commit
vendor/
, however – including:mangal
builds are currently non-deterministic. By deferring togo
subcommands that bang on remote servers for online installation,mangal
builds tacitly assume that URLs, versions, and licenses are perfectly stable across all dependencies – forever. But that's never the case. Packaging is a constantly shifting landscape wrapped in a badly documented enigma inside a vanishing mystery of404
errors. The Node.js world discovered this the rough way whenleft-pad
spontaneously blew everything up.go
no longer needs to bang on remote servers for online installation. Since requisite dependencies are locally available undervendor/
, CI/D turnaround (and thus turnaround for tests and PRs) measurably improves.Gentoo: I Am Very Tired Now.
Thanks so much for all the automated manga downloading,
mangal
magicians. My manga backlog may currently be crying, but everyone here is a spectacular gift to humanity.The text was updated successfully, but these errors were encountered: