Hi Robin, On 4/1/20 6:36 AM, Robin H. Johnson wrote: >> Normally we don't bundle dependencies, avoiding that problem entirely. >> The Go eclasses however are badly designed, committed against protest by >> paid corporate interests, and serve only to facilitate large-scale >> copyright infringement and security vulnerabilities. If you're looking >> for a consistent explanation of how they're supposed to work with the >> rest of Gentoo, you won't find one. > mjo: Can you please substantiate your claims? > > It would have been nice to have heard your concerns during February, any > of one the three times that William and I posted the go-module.eclass > EGO_SUM development work for review on this mailing list. I don't see a > single email from you during that entire period. > > The EGO_SUM support explicitly ensured that upstream distfiles (for each > dependency) remained absolutely as upstream provided them, without > merging the distfiles together or altering their content in way (I admit > that the exact naming of the distfiles changed, because it was terrible, > v0.0.0-20190311183353-d8887717615a.zip for example).
Forgive my noobishness in this matter that let Alec to comment over my own statement. Alec pointed out some very important issues in go development that break copyright infringement and security vulnerabilities, but I'm sure that is not related to the good work done in go-module.eclass to surpass all go mess. npm is worst and I take from go-module as a good pattern to apply also into there. Going back to my overlay use case, will go-modules download all modules to distfiles directory? The naming convention will assure that there will be no modules repetition? What about eclean-dist, will it work as expected for those modules dependencies? I think some of this answers would worth mention in documentation. Sorry for anything I wrongly stated and thank you very much for your help, Samuel
Description: OpenPGP digital signature