On 2023-04-17 09:37, Florian Schmaus wrote: > The EGO_SUM alternatives > - do not have the same level of trust and therefore have a negative > impact on security (a dubious tarball someone put somewhere, especially > when proxy-maint)
Solution: generate release tarballs in upstream CI/CD. > - are not easily verifiable `go mod verify` (called by eclass) does part of the job. > - require additional effort when developing ebuilds Generating EGO_SUM needs effort on every bump too. > - hinder the packaging and Gentoo's adoption of Go-based projects, which > is worrisome as Go is very popular Go's approach to package management is the prime cause after all. Downstream can only choose what workaround to apply. > - prevent Go modules from being shared as DISTFILES on the mirrors > across various packages Go modules often use pinned commits, so only a small share is reused. > Last but not least, we have the same situation in the Rust ecosystem, > but we allow the EGO_SUM "equivalent" there. Rust crates are not such a disaster as Go modules.