> -----Original Message----- > From: Khem Raj <[email protected]> > Sent: Monday, February 3, 2025 1:38 > To: Marko, Peter (FT D EU SK BFS1) <[email protected]> > Cc: [email protected] > Subject: Re: [oe] [meta-oe][PATCH 4/8] protobuf: don't download git submodules > > On Sun, Feb 2, 2025 at 1:40 PM Peter Marko via lists.openembedded.org > <[email protected]> wrote: > > > > From: Peter Marko <[email protected]> > > > > All dependencies are used from recipe sysroot now. > > It might work now with the version set, how do we keep it working > when the packages get updated asynchronously unless upstream stops using > vendored components as a first class way of doing things. >
I think that git submodules are a problematic feature. Similar to npm fetcher, it's not tracked anywhere what is downloaded. Even worse, there is no reference between downloaded hash and component version. That's why we have very long rust crates include files which then track the dependencies. This means that SPDX/SBOM reports and SVM reports don't work on this component. And this will become crucial after EU CRA and US cybersecurity executive order hits us. So I'd propose to remove git submodules wherever possible and replace them with second/third/... clones where not. Also consider this example when fetching scarthgap grpc recipe with shallow clones, it's just crazy. Can you tell which abseil and googetest version is used if we use the bundled version? Or if any of these didn't slip trough the cracks and is not used? gitsmshallow_github.com.abseil.abseil-cpp.git_bare_29bf808-1.tar.gz gitsmshallow_github.com.abseil.abseil-cpp.git_bare_5dd2407-1.tar.gz gitsmshallow_github.com.abseil.abseil-cpp.git_bare_fb3621f-1.tar.gz gitsmshallow_github.com.aquynh.capstone.git_bare_852f46a-1.tar.gz gitsmshallow_github.com.c-ares.c-ares.git_bare_6360e96-1.tar.gz gitsmshallow_github.com.census-instrumentation.opencensus-proto.git_bare_4aa53e1-1.tar.gz gitsmshallow_github.com.cncf.xds.git_bare_e9ce688-1.tar.gz gitsmshallow_github.com.envoyproxy.data-plane-api.git_bare_9d6ffa7-1.tar.gz gitsmshallow_github.com.envoyproxy.protoc-gen-validate.git_bare_fab737e-1.tar.gz gitsmshallow_github.com.googleapis.googleapis.git_bare_2f9af29-1.tar.gz gitsmshallow_github.com.google.benchmark_bare_015d1a0-1.tar.gz gitsmshallow_github.com.google.benchmark.git_bare_5b7683f-1.tar.gz gitsmshallow_github.com.google.bloaty.git_bare_60209eb-1.tar.gz gitsmshallow_github.com.google.boringssl.git_bare_2ff4b96-1.tar.gz gitsmshallow_github.com.google.googletest.git_bare_2dd1c13-1.tar.gz gitsmshallow_github.com.google.googletest.git_bare_4c9a3bb-1.tar.gz gitsmshallow_github.com.google.googletest.git_bare_565f1b8-1.tar.gz gitsmshallow_github.com.google.googletest.git_bare_5ec7f0c-1.tar.gz gitsmshallow_github.com.google.re2_bare_5bd6137-1.tar.gz gitsmshallow_github.com.google.re2.git_bare_0c5616d-1.tar.gz gitsmshallow_github.com.grpc.grpc.git_e5ae3b6-1_v1.60.x.tar.gz gitsmshallow_github.com.madler.zlib_bare_04f42ce-1.tar.gz gitsmshallow_github.com.madler.zlib_bare_cacf7f1-1.tar.gz gitsmshallow_github.com.nico.demumble.git_bare_01098ea-1.tar.gz gitsmshallow_github.com.open-telemetry.opentelemetry-proto.git_bare_60fa875-1.tar.gz gitsmshallow_github.com.protocolbuffers.protobuf.git_bare_6b5d8db-1.tar.gz gitsmshallow_github.com.protocolbuffers.protobuf.git_bare_bc1773c-1.tar.gz I'll keep this commit in v2, but feel free to drop it if you disagree. Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#115243): https://lists.openembedded.org/g/openembedded-devel/message/115243 Mute This Topic: https://lists.openembedded.org/mt/110959920/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
