> Arthur Zamarin <arthur...@gentoo.org> hat am 30.05.2023 18:35 CEST > geschrieben: > > > Currently the best solution *per package* is to speak with upstream, to > add a CI workflow which create a source tarball which includes `vendor` > dir. This is the best way, and I'm doing that for multiple upstream of > some random Go packages in ::gentoo. But I know the disadvantage - > requirement to speak with upstream, explain why, and add it to the > system. This is best long-run solution, but more hardships. >
I would like to add to this, that even if upstream is not willing to do this, devs could automate the creation of vendor tarballs using GitHub actions. I only did this for an upstream repositories that are also on GitHub and for projects written in Rust. Initially I did this for complicated Rust projects with several git submodules and submodules of submodules. But with a little tweaking of the GitHub actions I think it would be possible to use it for Go as well. https://wiki.gentoo.org/wiki/User:Schievel/autocreate_rust_sources This is additional initial work, but once you set it up, you don't even have the extra work of creating a new EGO_SUM for every package release. Ideally you just have to change the version in the file name of the ebuild to bump a package. Security wise I do not see a difference between this and creating the vendor tarball manually and uploading it to GitHub, as many proxy maintainers without devspace do it. Regards Pascal