Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Robin H. Johnson
On Wed, Apr 01, 2020 at 11:30:00PM +0100, Samuel Bernardo wrote: > Hi Robin, > > On 4/1/20 11:07 PM, Robin H. Johnson wrote: > >>> # I am considering removing this and just hard coding mirror://goproxy > >>> # below, so please do not rely on it. > >>> :

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Robin H. Johnson
On Wed, Apr 01, 2020 at 04:14:48PM -0400, Michael Orlitzky wrote: > On 4/1/20 4:03 PM, Samuel Bernardo wrote: > > > > Couldn't security issue in a Go library be solved with keyword mask and > > announce in portage? > > If there's an ebuild for the library, then yeah, you've got the right >

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Samuel Bernardo
Hi Robin, On 4/1/20 11:07 PM, Robin H. Johnson wrote: >>> # I am considering removing this and just hard coding mirror://goproxy >>> # below, so please do not rely on it. >>> : "${_GOMODULE_GOPROXY_BASEURI:=mirror://goproxy/}"| >> So, go-module.eclass provides a good base to follow SRP pattern

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Robin H. Johnson
On Wed, Apr 01, 2020 at 12:50:56PM +0100, Samuel Bernardo wrote: > Hi Robin, > > On 4/1/20 6:36 AM, Robin H. Johnson wrote: > > Samuel: > > I already proved that using go-module.eclass EGO_SUM it will NOT use Git > > repositories, and all of the fetching will happen long before > > src_unpack.

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Michael Orlitzky
On 4/1/20 4:03 PM, Samuel Bernardo wrote: > > Couldn't security issue in a Go library be solved with keyword mask and > announce in portage? If there's an ebuild for the library, then yeah, you've got the right idea. But with the Go eclasses, there are no ebuilds for any of the dependencies.

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Samuel Bernardo
Hi Michael, On 4/1/20 6:01 PM, Michael Orlitzky wrote: > On 4/1/20 11:49 AM, Alec Warner wrote: >> Imagine a common dep (CommonFoo-x-y-z) >> has a security problem, so we must upgrade to CommonFoo-y-z. In the >> scenario where CommonFoo is a dynamically linked package we can >> recompile it

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Samuel Bernardo
Hi Alec, Really great reading about packaging and the current challenges. This would be great to be posted in Gentoo blog! --- To all community: I would like to commend the know how of Gentoo community and their principles. I would like to evidence relatively to other distributions some

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Michael Orlitzky
On 4/1/20 11:49 AM, Alec Warner wrote: > Imagine a common dep (CommonFoo-x-y-z) > has a security problem, so we must upgrade to CommonFoo-y-z. In the > scenario where CommonFoo is a dynamically linked package we can > recompile it once[4] and new consumers will just use the new dynamic > shared

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Alec Warner
On Wed, Apr 1, 2020 at 5:14 AM Samuel Bernardo < samuelbernardo.m...@gmail.com> wrote: > Hi Robin, > On 4/1/20 6:36 AM, Robin H. Johnson wrote: > > Normally we don't bundle dependencies, avoiding that problem entirely. > The Go eclasses however are badly designed, committed against protest by >

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Samuel Bernardo
Hi Robin, On 4/1/20 6:36 AM, Robin H. Johnson wrote: >> Normally we don't bundle dependencies, avoiding that problem entirely. >> The Go eclasses however are badly designed, committed against protest by >> paid corporate interests, and serve only to facilitate large-scale >> copyright

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Samuel Bernardo
Hi Robin, On 4/1/20 6:36 AM, Robin H. Johnson wrote: > Samuel: > I already proved that using go-module.eclass EGO_SUM it will NOT use Git > repositories, and all of the fetching will happen long before > src_unpack. Why do you persist with your statement to the contrary? Sorry my

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Michał Górny
On Wed, 2020-04-01 at 05:36 +, Robin H. Johnson wrote: > On Tue, Mar 31, 2020 at 09:18:32PM -0400, Michael Orlitzky wrote: > > On 3/31/20 8:48 PM, Samuel Bernardo wrote: > > > My question started with the network sandbox issue when we need to load > > > external code dependencies. For example,

Re: [gentoo-dev] network sandbox challenge

2020-04-01 Thread Michael Orlitzky
On 4/1/20 1:36 AM, Robin H. Johnson wrote: > mjo: Can you please substantiate your claims? > > It would have been nice to have heard your concerns during February, any > of one the three times that William and I posted the go-module.eclass > EGO_SUM development work for review on this mailing

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Robin H. Johnson
On Tue, Mar 31, 2020 at 09:18:32PM -0400, Michael Orlitzky wrote: > On 3/31/20 8:48 PM, Samuel Bernardo wrote: > > > > My question started with the network sandbox issue when we need to load > > external code dependencies. For example, a go project will download all > > dependencies from git

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Michael Orlitzky
On 3/31/20 8:48 PM, Samuel Bernardo wrote: > > My question started with the network sandbox issue when we need to load > external code dependencies. For example, a go project will download all > dependencies from git repositories that will happen after src_unpack. In > this case I need to add an

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Samuel Bernardo
Hi Michael, Thank you for pointing that out. My use case was about my personal overlay that is not mirrored by Gentoo infrastructure. My question started with the network sandbox issue when we need to load external code dependencies. For example, a go project will download all dependencies from

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Samuel Bernardo
Hi Alec, Thank you very much for your explanation. I'll keep it in my notes. Best, Samuel On 3/31/20 11:41 PM, Alec Warner wrote: > In general I'd avoid using the mirror system as URI simplification too > much; a lot of the idea is to avoid hardcoding specific hosts. E.g. > for the gentoo

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Michael Orlitzky
On 3/31/20 6:21 PM, Samuel Bernardo wrote: > > But after your explanation, I understand now that mirror types provides > alias to use in ebuild SRC_URI, specially useful for the update task > (awesome). > Beware: thirdpartymirrors doesn't really do anything useful for normal ebuilds in

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Alec Warner
On Tue, Mar 31, 2020 at 3:21 PM Samuel Bernardo < samuelbernardo.m...@gmail.com> wrote: > Hi, > On 3/31/20 9:25 PM, Alec Warner wrote: > > From thirdpartymirrors file I can see more examples... The mirror type >> can be any label that I decide to use? >> > > man portage(5) says: > Whenever

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Samuel Bernardo
Hi, On 3/31/20 9:25 PM, Alec Warner wrote: > > From thirdpartymirrors file I can see more examples... The mirror type > can be any label that I decide to use? > > > man portage(5) says: > Whenever portage encounters a mirror:// style URI it will look up the > actual hosts here.  If the

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Alec Warner
On Tue, Mar 31, 2020 at 12:58 PM Samuel Bernardo < samuelbernardo.m...@gmail.com> wrote: > Hi Alec, > > On 3/27/20 11:20 PM, Alec Warner wrote: > > > > I should point you at man portage(5) (search for mirrors), which has > > more detail on how to set up a non-gentoo mirror network. > > Reading

Re: [gentoo-dev] network sandbox challenge

2020-03-31 Thread Samuel Bernardo
Hi Alec, On 3/27/20 11:20 PM, Alec Warner wrote: > > I should point you at man portage(5) (search for mirrors), which has > more detail on how to set up a non-gentoo mirror network. Reading portage manpage about mirrors I didn't find the mirror type possible values. As I could understand, there

Re: [gentoo-dev] network sandbox challenge

2020-03-28 Thread Samuel Bernardo
Thank you very much for you detailed answers Alec. I will add them to my FAQ, Best, Samuel On 3/27/20 11:20 PM, Alec Warner wrote: > > On Fri, Mar 27, 2020 at 3:59 PM Alec Warner > wrote: > > > On Fri, Mar 27, 2020 at 3:10 PM Samuel Bernardo >

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Alec Warner
On Fri, Mar 27, 2020 at 3:59 PM Alec Warner wrote: > > > On Fri, Mar 27, 2020 at 3:10 PM Samuel Bernardo < > samuelbernardo.m...@gmail.com> wrote: > >> Hi Alec, >> >> On 3/27/20 7:27 PM, Alec Warner wrote: >> > The Gentoo Mirror system is basically a set of scripts that syncs the >> > ::gentoo

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Alec Warner
On Fri, Mar 27, 2020 at 3:10 PM Samuel Bernardo < samuelbernardo.m...@gmail.com> wrote: > Hi Alec, > > On 3/27/20 7:27 PM, Alec Warner wrote: > > The Gentoo Mirror system is basically a set of scripts that syncs the > > ::gentoo repository, enumerates all URIs in SRC_URI for all ebuilds, > > and

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi Alec, On 3/27/20 7:27 PM, Alec Warner wrote: > The Gentoo Mirror system is basically a set of scripts that syncs the > ::gentoo repository, enumerates all URIs in SRC_URI for all ebuilds, > and fetches them. > It doesn't enumerate anything in any overlays. Overlay authors are > required to

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Alec Warner
On Fri, Mar 27, 2020 at 5:17 AM Samuel Bernardo < samuelbernardo.m...@gmail.com> wrote: > Hi again Michał, > On 3/27/20 11:48 AM, Michał Górny wrote: > > Nope, just ::gentoo. Minus ebuilds with RESTRICT=mirror. > > I have some doubts after reading the mirror documentation[1] in the > context of

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Michał Górny
On Fri, 2020-03-27 at 12:17 +, Samuel Bernardo wrote: > Hi again Michał, > On 3/27/20 11:48 AM, Michał Górny wrote: > > Nope, just ::gentoo. Minus ebuilds with RESTRICT=mirror. > > I have some doubts after reading the mirror documentation[1] in the > context of personal overlays (not

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Rich Freeman
On Fri, Mar 27, 2020 at 7:33 AM Michał Górny wrote: > > On Fri, 2020-03-27 at 11:29 +, Samuel Bernardo wrote: > > > Same question for unpack context when using directly the source > > repository with vcs functions. > > VCS ebuilds generally suck, for multiple reasons. We allow users to use >

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi again Michał, On 3/27/20 11:48 AM, Michał Górny wrote: > Nope, just ::gentoo. Minus ebuilds with RESTRICT=mirror. I have some doubts after reading the mirror documentation[1] in the context of personal overlays (not official). There is two procedures defined as I could understand: - manually

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Michał Górny
On Fri, 2020-03-27 at 11:45 +, Samuel Bernardo wrote: > Hi Michał, > > On 3/27/20 11:33 AM, Michał Górny wrote: > > SRC_URI is well-defined, and that makes it possible for us and users to > > develop consistent solutions. We have Gentoo mirror network to increase > > reliability when

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi Michał, On 3/27/20 11:33 AM, Michał Górny wrote: > SRC_URI is well-defined, and that makes it possible for us and users to > develop consistent solutions. We have Gentoo mirror network to increase > reliability when upstream servers fail. Users can deploy local mirrors > to increase

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Michał Górny
On Fri, 2020-03-27 at 11:29 +, Samuel Bernardo wrote: > Hi Michał, > > On 3/27/20 5:59 AM, Michał Górny wrote: > > Stop here. If you think that you need to 'break network sandbox', you > > already have the wrong attitude and shouldn't continue. Network sandbox > > is not your enemy. Using

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi Michał, On 3/27/20 5:59 AM, Michał Górny wrote: > Stop here. If you think that you need to 'break network sandbox', you > already have the wrong attitude and shouldn't continue. Network sandbox > is not your enemy. Using network is. > > Network sandbox protects users from paying extra

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi Robin, On 3/27/20 3:03 AM, Robin H. Johnson wrote: > Have you looked at the EGO_SUM in go-module? This already covers ANY go > package that uses go.mod + go.sum, in a fully reproducible way that does > not break network sandbox. I didn't understand EGO_SUM right. Thank you for mentioned it.

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Samuel Bernardo
Hi Haelwenn, On 3/27/20 1:50 AM, Haelwenn (lanodan) Monnier wrote: > Couldn't the snapd_${PV}.vendor.tar.xz available in > https://github.com/snapcore/snapd/releases > work in your case to avoid downloading tarballs? > And probably consider using go-modules.eclass, which can also allow >

Re: [gentoo-dev] network sandbox challenge

2020-03-27 Thread Michał Górny
On Fri, 2020-03-27 at 01:16 +, Samuel Bernardo wrote: > Dear all, > > Fulfilling the linting of ebuild code style design for software projects > that loads their dependencies during build, such as go based projects or > npm as an example, could be very nasty. > > Looking into source code of

Re: [gentoo-dev] network sandbox challenge

2020-03-26 Thread Robin H. Johnson
On Fri, Mar 27, 2020 at 01:16:43AM +, Samuel Bernardo wrote: > Dear all, > > Fulfilling the linting of ebuild code style design for software projects > that loads their dependencies during build, such as go based projects or > npm as an example, could be very nasty. > > Looking into source

Re: [gentoo-dev] network sandbox challenge

2020-03-26 Thread Haelwenn (lanodan) Monnier
[2020-03-27 01:16:43+] Samuel Bernardo: > 2) For snapd I need to load previously the remote repositories > dependencies into a tar.gz that need to be stored in ebuild files. This > is ugly, I know, but there is no distfiles trusted repository > alternative where I can place them. > As a

[gentoo-dev] network sandbox challenge

2020-03-26 Thread Samuel Bernardo
Dear all, Fulfilling the linting of ebuild code style design for software projects that loads their dependencies during build, such as go based projects or npm as an example, could be very nasty. Looking into source code of snapd or opennebula as two examples, I need to break network sandbox to