Michał Górny wrote: > On Sat, 2024-03-30 at 15:17 +0000, Eddie Chapman wrote: > >> Michał Górny wrote: >> >>> On Sat, 2024-03-30 at 14:57 +0000, Eddie Chapman wrote: >>> >>> >>>> Note, I'm not advocating ripping xz-utils out of tree, all I'm >>>> saying is wouldn't it be nice if there were at least 2 alternatives >>>> to choose from? That doesn't have to be disruptive in any way, >>>> people who wish to continue using and trusting xz-utils should be >>>> able to continue to do so without any friction whatsoever. >>> >>> So, you're basically saying we should go out of our way, recompress >>> all distfiles using two alternative compression formats, increase >>> mirror load four times and add a lot of complexity to ebuilds, right? >>> >>> -- >>> Best regards, >>> Michał Górny >>> >>> >> >> Yes that's a very good point, that was something I was wondering in >> weighing up both sides, what the costs would be practically, as I don't >> know the realities of running Gentoo infrastructure. And maybe the >> costs is just too high of a price to pay. >> >> I wonder if increased use of git repos rather than distributed tarballs >> could be part of a solution to those issues, although that could put >> quite a storage burden on every user. Unless they were all shallow git >> pulls and the user could optionally choose to tar up the git directory >> after clone with compression. But yes granted then there is even more >> ebuild complexity. >> > > Should we convert git repositories to Mercurial and Bazaar too, to avoid > relying too much on a single tool? > > -- > Best regards, > Michał Górny >
I sense that question may have been slightly in jest :-) At least I hope so as it could also be interpreted as an attempt at ridicule. I'll take it as the former. In case you are seriously asking; of course not, that's totally unnecessary. The objective is simply to obtain the upstream source code intact. We don't need whatever version control of their source they are using, which of course is the whole point of fetching distributed tarballs. My suggestion of git pulls is just to address your point of resource usage on gentoo infra, it reduces the need to store binary dist files. I've also heard some argue that relying on distributed tarballs is part of the overall problem and what the bad actor was taking advantage of. They may have a point.
