[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2019-09-22 23:59 UTC
The attached list notes all of the packages that were added or removed from the tree, for the week ending 2019-09-22 23:59 UTC. Removals: dev-embedded/bitbake20190917-08:40 mgorny 6e28041d3c2 media-gfx/pixie 20190917-08:42 mgorny 9e823981cd3 net-irc/eiwic 20190917-08:42 mgorny 7e4a92cb373 net-misc/openrdate 20190917-08:41 mgorny 735e35acabf sys-kernel/bliss-initramfs 20190917-08:43 mgorny 02ec7405143 virtual/ruby-ffi20190921-16:24 mgorny 8827291f20b Additions: acct-group/elasticsearch20190921-05:23 juippis 65e40e79478 acct-group/kibana 20190921-05:37 juippis f84744ecba8 acct-group/mythtv 20190917-19:58 juippis ec3b73c3f3e acct-group/nofiles 20190908-19:31 juippis fc8999d6a5a acct-group/qmail20190908-19:31 juippis fc8999d6a5a acct-group/spectrum 20190917-17:58 andrey_utkin ca6ad5fb253 acct-group/unifi20190917-17:07 bkohler bfc8dd0620a acct-user/alias 20190908-20:35 juippis ea8ecc21edc acct-user/elasticsearch 20190921-05:24 juippis d0af74e9dc3 acct-user/kibana20190921-05:39 juippis 5501a7f5b36 acct-user/mythtv20190917-19:57 juippis f0da885e136 acct-user/qmaild20190908-20:35 juippis ea8ecc21edc acct-user/qmaill20190908-20:35 juippis ea8ecc21edc acct-user/qmailp20190908-20:35 juippis ea8ecc21edc acct-user/qmailq20190908-20:35 juippis ea8ecc21edc acct-user/qmailr20190908-20:35 juippis ea8ecc21edc acct-user/qmails20190908-20:35 juippis ea8ecc21edc acct-user/spectrum 20190917-17:59 andrey_utkin 9b80bb3683a acct-user/unifi 20190917-17:08 bkohler 3d95aaace86 app-emulation/firecracker 20190922-18:48 zlogene c75632418e3 dev-erlang/mqtree 20190917-19:14 hanno1d313990f9d dev-erlang/pkix 20190917-19:16 hanno0e1d94d53b6 dev-libs/aws-c-common 20190815-16:15 juippis 43a1809326d dev-libs/aws-c-event-stream 20190815-16:18 juippis 6b616976c6e dev-libs/aws-checksums 20190815-16:21 juippis 52fa8ed86d3 dev-libs/rlottie20190921-07:31 juippis 42873c46b7e dev-python/cheetah3 20190922-13:32 ultrabug 463f43f31b8 dev-ruby/x25519 20190917-05:37 graaff 15e5b7da57e net-im/skype-dbus-mock 20190411-19:08 juippis 3a021a2ec6a net-wireless/nanovna-saver 20190920-17:27 zerochaos6931fd8f2bb -- Robin Hugh Johnson Gentoo Linux Developer E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 Removed Packages: virtual/ruby-ffi,removed,mgorny,20190921-16:24,8827291f20b sys-kernel/bliss-initramfs,removed,mgorny,20190917-08:43,02ec7405143 media-gfx/pixie,removed,mgorny,20190917-08:42,9e823981cd3 net-irc/eiwic,removed,mgorny,20190917-08:42,7e4a92cb373 net-misc/openrdate,removed,mgorny,20190917-08:41,735e35acabf dev-embedded/bitbake,removed,mgorny,20190917-08:40,6e28041d3c2 Added Packages: dev-python/cheetah3,added,ultrabug,20190922-13:32,463f43f31b8 app-emulation/firecracker,added,zlogene,20190922-18:48,c75632418e3 acct-user/kibana,added,juippis,20190921-05:39,5501a7f5b36 acct-group/kibana,added,juippis,20190921-05:37,f84744ecba8 acct-user/elasticsearch,added,juippis,20190921-05:24,d0af74e9dc3 acct-group/elasticsearch,added,juippis,20190921-05:23,65e40e79478 acct-user/alias,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmaild,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmaill,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmailp,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmailq,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmailr,added,juippis,20190908-20:35,ea8ecc21edc acct-user/qmails,added,juippis,20190908-20:35,ea8ecc21edc acct-group/nofiles,added,juippis,20190908-19:31,fc8999d6a5a acct-group/qmail,added,juippis,20190908-19:31,fc8999d6a5a dev-libs/rlottie,added,juippis,20190921-07:31,42873c46b7e net-im/skype-dbus-mock,added,juippis,20190411-19:08,3a021a2ec6a net-wireless/nanovna-saver,added,zerochaos,20190920-17:27,6931fd8f2bb acct-user/mythtv,added,juippis,20190917-19:57,f0da885e136 acct-group/mythtv,added,juippis,20190917-19:58,ec3b73c3f3e dev-libs/aws-checksums,added,juippis,20190815-16:21,52fa8ed86d3 dev-libs/aws-c-event-stream,added,juippis,20190815-16:18,6b616976c6e dev-libs/aws-c-common,added,juippis,20190815-16:15,43a1809326d acct-user/spectrum,added,andrey_utkin,20190917-17:59,9b80bb3683a acct-group/spectrum,added,andrey_utkin,20190917-17:58,ca6ad5fb253 dev-erlang/pkix,added,hanno,20190917-19:16,0e1d94d53b6 dev-erlang/mqtree,added,hanno,20190917-19:14,1d313990f9d acct-user/unifi,added,bkohler,20190917-17:08,3d95aaace86 acct-group/unifi,added,bkohler,20190917-17:07,bfc8dd0620a dev-ruby/x25519,added,graaff,20190917-05:37,15e5b7da57e Done.
Re: [gentoo-dev] [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing
> On Sep 21, 2019, at 12:09 PM, Michał Górny wrote: > > Hi, > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having > the former trigger QA warning asking the dev to double-check if it's > 'GPL-2-only' or 'GPL-2+'. > > > GNU Licenses currently don't carry an upgrade clause -- instead, authors > are expected to decide whether they permit upgrade to newer versions of > the license in question, or require users to stick with their version of > choice. > > Their decision is normally indicated in copyright notices on top > of source files. Those that permit upgrade usually state 'either > version N of the License, or (at your option) any later version.', while > others remove the 'or...' or even replace with 'only' (sometimes > removing 'either', sometimes leaving it ;-)). > > The truth is, many developers don't go that far to verify it. Instead, > they usually look at 'COPYING' or 'LICENSE', read the version there > and put 'GPL-2', 'GPL-3' etc. in the ebuild. It doesn't help that > GitHub does the same and shows the result as easy-to-read note on top of > repo. > > > For some time I've been reviewing packages I'm (co-)maintaining, as well > as proxy-maint submissions for this particular problem. However, > surprisingly many projects actually go the 'version N only' route, even > in middle of environments that are 'N+' like Xfce. As a result, I've > ended up rechecking the same packages over and over again to the point > of starting to add comments saying 'yes, this is GPL-2 only'. > > I'd like to propose to employ a more systematic method of resolving this > problem. I would like to add additional explicit 'GPL-n-only' licenses, > and discourage using short 'GPL-n' in favor of them. The end result > would be three licenses per every version/variant, e.g.: > > GPL-2-only -- version 2 only > GPL-2+ -- version 2 or newer > GPL-2 -- might be either, audit necessary > > The main idea is that we'd be able to easily find 'non-audited' packages > with GPL-2 entries, and replace them with either GPL-2+ or GPL-2-only > after auditing. While technically it would still be possible for people > to wrongly set LICENSE to GPL-2-only, I think this explicit distinction > will help people notice that there actually is a deeper difference, > and it will still catch people who just type 'GPL-n' without looking > into the license directory. My read of this and the comments is that it boils down to getting people to do the right thing and ensuring that they did. If anyone does not already understand this, we need to have a talk with them about it. Also, for things like the Linux kernel where some files lack the or later version clause, this is going to end up with us doing GPL-2-only and GPL-2+ at the same time. Is this really what we want to do there? > > > For a start, I'd only go for adding the '-only' variants to the most > common licenses, i.e. GPL-2, -3, LGPL-2, -2.1, -3, AGPL-3, maybe some > FDL versions. I don't think we need this for the long 'exception' > variants -- I suspect that if someone did research enough to notice > the exception, then most likely he would also notice the 'or newer'. > > > WDYT? > > -- > Best regards, > Michał Górny >
Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing
On Sat, 21 Sep 2019 22:58:03 +0200 Ulrich Mueller wrote: > If the goal of this exercise is to do an audit of ebuilds labelled as > "GPL-2", then a less intrusive approach (which I had already suggested > when this issue had last been discussed) would be to add a comment to > the LICENSE line, either saying "# GPL-2 only" for packages that have > been verified. Or the other way aroung, starting with a comment saying > that it is undecided, which would be removed after an audit. This would > have the advantage not to confuse users, and have no impact on their > ACCEPT_LICENSE settings. (For example, some people exclude AGPL and > would have to add entries for AGPL-3-only.) An adjuct idea: Given things like "License" can get changed by upstream, and is prone to deviating from what we have in the ebuild, and given the only way to automate testing that requires being unable to unpack the archive and grep for various things ... Maybe we instead should be considering a per-package file that indicates some kind of audit trail? < dev-qt/qtwebengine/audit > # audit_ident aduit_param [] license 2019-09-22 5.12.5 Where for example, the license audit is: @NAME: license @PARAMS: DATE VERSION @DESCRIPTION: Certify a UTC DATE and VERSION used as reference, that you explicitly and intentionally carefully reviewed upstreams sources against the LICENSE field, ensuring you used the appropriate license and combinations, for instance: ensuring you wrote "GPL-2" only when upstreams license clearly omits the "or later" clause, and using "GPL-2+" in where the clause is present. Where you specify the version of the package at the time you carefully audited it last. At least that way, you can automate doing spot checks for license being current and then yell at somebody to re-check it. This seems like a more reliable approach than hoping the right value was used and nothing has changed without anyone noticing in the interim. And this tool could be used to expand the sort of scope of things QA can check for, by ensuring that things that can't be checked automatically, can at least have some sort of record indicating when they were checked last (where git commit log will indicate who performed the check) Though there's lots of bikeshed potential here. Just planting seeds :) pgpiGKBYayKU3.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Re: [RFC] Adding 'GPL-2-only', 'GPL-3-only' etc. license variants for better auditing
On Sat, 2019-09-21 at 17:45 -0500, William Hubbs wrote: > On Sat, Sep 21, 2019 at 09:57:25PM +0200, Michał Górny wrote: > > On Sat, 2019-09-21 at 14:26 -0500, William Hubbs wrote: > > > On Sat, Sep 21, 2019 at 09:17:53PM +0200, Ulrich Mueller wrote: > > > > > > > > > On Sat, 21 Sep 2019, Michał Górny wrote: > > > > > TL;DR: I'd like to replace 'GPL-2' with 'GPL-2-only' etc., having > > > > > the former trigger QA warning asking the dev to double-check if it's > > > > > 'GPL-2-only' or 'GPL-2+'. > > > > > > > > This has been discussed before. There is no such license as GPL-2-only. > > > > > > I am with ulm on this one. > > > We have GPL-2 and GPL-2+ in the tree. The way I read this, > > > LICENSE="GPL-2" means GPL 2 only and LICENSE="GPL-2+" means GPL-2+. > > > > > > > Have you read my original mail? > > Yes, and I just did again, and my position is still the same. > I know what we have now and what it means. The mail includes long explanation why this doesn't work. Repeating what we have now does not bring any argument to the discussion, except for anger/demotivation because it feels like you've completely ignored most of the mail and just reject it on the basis of 'it's not what we have now'. -- Best regards, Michał Górny signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] [PATCH 2/2] go-module-vendor.eclass: new eclass for go modules that do not vendor
On Sat, 2019-09-21 at 17:10 -0500, William Hubbs wrote:
> This eclass adds a src_unpack function that supports the EGO_VENDOR
> variable for vendoring modules.
> ---
> eclass/go-module-vendor.eclass | 133 +
> 1 file changed, 133 insertions(+)
> create mode 100644 eclass/go-module-vendor.eclass
>
> diff --git a/eclass/go-module-vendor.eclass b/eclass/go-module-vendor.eclass
> new file mode 100644
> index 000..af9007df411
> --- /dev/null
> +++ b/eclass/go-module-vendor.eclass
> @@ -0,0 +1,133 @@
> +# Copyright 2019 gentoo authors
> +# Distributed under the terms of the GNU General Public License v2
> +
> +# @ECLASS: go-module-vendor.eclass
> +# @MAINTAINER:
> +# William Hubbs
> +# @SUPPORTED_EAPIS: 7
> +# @BLURB: Eclass for building software written in the go
> +# programming language that uses go modules and does not vendor.
> +# @DESCRIPTION:
> +# This eclass provides a src_unpack function which supports vendoring
> +# dependencies for software written in the go programming language that
> +# uses go modules.
> +#
> +# You will know the software you are packaging uses modules because
> +# it will have files named go.sum and go.mod in its top-level source
> +# directory. If it does not have these files, use the golang-* eclasses.
> +#
> +# If there is also a directory named vendor in the top level source directory
> +# of your package, use the golang-module eclass instead of this one.
> +#
> +# This eclass provides a src_unpack function which unpacks the
> +# first tarball mentioned in SRC_URI to the usual location and unpacks
> +# any modules mentioned in EGO_VENDOR to ${S}/vendor.
> +#
> +# Please note that this eclass currently handles only tarballs
> +# (.tar.gz), but support for more formats may be added in the future.
> +#
> +# Since Go programs are statically linked, it is important that your ebuild's
> +# LICENSE= setting includes the licenses of all statically linked
> +# dependencies. So please make sure it is accurate.
> +#
> +# @EXAMPLE:
> +#
> +# @CODE
> +# EGO_VENDOR=(
> +#"github.com/xenolf/lego 6cac0ea7d8b28c889f709ec7fa92e92b82f490dd"
> +# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8
> github.com/golang/crypto"
> +# )
> +#
> +# inherit go-module-vendor
> +#
> +# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz ->
> ${P}.tar.gz
> +# ${EGO_VENDOR_URI}"
> +# @CODE
> +#
> +# The above example will extract the tarball to ${S} and
> +# extract the contents of EGO_VENDOR to ${S}/vendor.
> +
> +inherit go-module
> +
> +case ${EAPI:-0} in
> + 7) ;;
> + *) die "${ECLASS} API in EAPI ${EAPI} not yet established."
> +esac
> +
> +if [[ -z ${_GO_MODULE_VENDOR} ]]; then
> +
> +_GO_MODULE_VENDOR=1
> +
> +EXPORT_FUNCTIONS src_unpack
> +
> +# @ECLASS-VARIABLE: EGO_VENDOR
You want @REQUIRED here.
> +# @DESCRIPTION:
> +# This variable contains a list of vendored packages.
> +# The items of this array are strings that contain the
> +# import path and the git commit hash for a vendored package.
> +# If the import path does not start with github.com, the third argument
> +# can be used to point to a github repository.
> +
> +declare -arg EGO_VENDOR
> +
> +_go-module-vendor_set_vendor_uri() {
I think you ought to check whether EGO_VENDOR_URI is non-empty here,
and error out if it's empty. This will be important in catching people
accidentally defining it after 'inherit'.
Another thing worth considering is to actually permit defining it
anywhere. If you replaced EGO_VENDOR_URI with a function, user would
only need to define it prior to SRC_URI, e.g.:
inherit go-module-vendor
# ...
EGO_VENDOR_URI=(...)
SRC_URI="...
$(ego_vendor_uri)"
But it's up to you. I personally feel like very long lists prior to
inherit are inconvenient for the reader.
> + EGO_VENDOR_URI=
> + local lib
> + for lib in "${EGO_VENDOR[@]}"; do
> + lib=(${lib})
> + if [[ -n ${lib[2]} ]]; then
> + EGO_VENDOR_URI+="
> https://${lib[2]}/archive/${lib[1]}.tar.gz ->
> ${lib[2]//\//-}-${lib[1]}.tar.gz"
> + else
> + EGO_VENDOR_URI+="
> https://${lib[0]}/archive/${lib[1]}.tar.gz ->
> ${lib[0]//\//-}-${lib[1]}.tar.gz"
> + fi
> + done
> + readonly EGO_VENDOR_URI
> +}
> +
> +_go-module-vendor_set_vendor_uri
> +unset -f _go-module-vendor_set_vendor_uri
> +
> +_go-module-vendor_dovendor() {
> + local VENDOR_PATH=$1 VENDORPN=$2 TARBALL=$3
Common convention is to use lowercase names for local variables.
> + rm -fr "${VENDOR_PATH}/${VENDORPN}" || die
> + mkdir -p "${VENDOR_PATH}/${VENDORPN}" || die
> + tar -C "${VENDOR_PATH}/${VENDORPN}" -x --strip-components 1\
Add space before `\`.
> + -f "${DISTDIR}/${TARBALL}" || die
> +}
> +
> +# @FUNCTION: go-module-vendor_src_unpack
> +# @DESCRIPTION:
> +# Extract the first archive from ${A} to ${S}, then extract
> +# any sources mentioned in ${EGO_VENDOR} to
