On Fri, 13 Sep 2019 19:44:55 -0400 Michael Orlitzky <m...@gentoo.org> wrote:
> (Replying to both messages at once.) > > > On 9/13/19 4:17 PM, Patrick McLean wrote: > >> > > I don't think anyone here has suggested that any go packages are > > installed in the stage3 tarballs, or included in profiles. > > Something's presence in the tree does not mean that you are > > required to install it. A package's presence in the tree really has > > little to zero effect on any user that does not use the package. If > > you do not install the package, it will have zero effect on your > > banking. > > This is true only so far as they never become dependencies of anything > else. Do all new developers know that dev-go is an insecure ghetto? Do > our users? Or might someone accidentally install or depend upon > something in dev-go before learning that crucial bit of information? A suggestion was made on IRC to have a pkg_postinst in the eclass that warn about golang package dependencies not having the same level of Gentoo security coverage that other packages in the tree have due to static linking. I think this is a reasonable approach, and users and developers will know. There is precedent for this, see sys-kernel/vanilla-sources > > I also want to point out that the Gentoo packages for Firefox, > > Chromium, and Webkit all have a _lot_ of bundled dependencies and > > absolutely do static linking internally. If you are using a browser > > to do your banking, you are almost certainly using static linking, > > even without the presence of code written in golang. > > Is this is a "two wrongs make a right" argument? I'm telling mom =P I am pointing out that we can't ban all static linking in the tree, many upstream packages won't work without it (or significant effort that no one has the time or motivation for). > > Despite your (and my) objections to it's approach to linking, > > golang is a very popular language these days with some very popular > > packages written in it. > > No it's not. It's below Delphi and Object Pascal on TIOBE this month. > It's a trend that a tiny percentage of people jumped on because they > heard the name "Google" back when Google was cool. Random stats from a website are not really an indication of how much a language is being used. There are plenty of very popular packages that are written in golang. > The "people want this in Gentoo" argument I understand, but people > don't really have it "in Gentoo." They have a thin wrapper around the > "go" command. They don't get the Gentoo security guarantees, they > don't get the Gentoo license handling, they don't get the ease of > management that comes with a Gentoo @world update. They silently get > something less than they're expecting. We would be better off telling > people to run "go whatever" themselves, or by putting this stuff in > an overlay where expectations are clearly defined. Users and Gentoo developers want Docker and Kubernetes (to name a couple) in the main tree. These are written in golang. I don't think we should ban packages because of the language they are written in. Especially if there are developers who want to maintain them. They do get the ease of management of @world in that if the upstream package releases a new version, it will be pulled in via an @world update. That is quite a large advantage to users, and is worth doing if there are developers willing to maintain the packages in the tree. > > > While I personally have opinions about static linking (I basically > > completely agree with you that it's a dumb idea). That said, this > > has nothing to do with this particular discussion, I suggest you > > take it up with the golang upstream. I don't think anyone here is > > arguing that static linking is a great idea and everyone should do > > it. > > We just have a philosophical difference here. I don't think we should > commit admittedly-dumb ideas to ::gentoo. These packages would work > fine in an overlay until such a time as someone is interested in > doing things correctly. They also work "fine" if you install them > with "go" yourself: Portage isn't doing much for you when everything > is bundled, statically linked, and has LICENSE set incorrectly. When "doing things correctly" means basically forking the entire ecosystem and maintaining all the forks internally, that is not something that is ever going to happen. There is demand from users and developers for golang packages. It's the same reason why we don't unbundle everything in Firefox and Chromium, it's simply too much work. It basically means maintaining our own fork of the package. That also means security updates will take significantly longer, as the fork will need to be rebased on the new upstream version. > I don't want to keep replying to these threads -- I've said everything > that I've got to say, and I'm boring myself, so I can only imagine how > you all feel. This will get pushed through anyway, because it always > does. It's just demoralizing constantly begging people not to make > things worse and being ignored. Then don't, golang and packages written in it are going to stay in the tree and new golang packages are going to be added. This entire thread has been about how we are going to support a newer packaging style upstream adopted. I encourage you to package.mask dev-lang/go, and carefully inspect any -bin packages you install to make sure you don't install anything written in golang on your machine.
