Re: [yocto] #golang: go fetches dependencies in compile phase

Mon, 12 Apr 2021 02:00:52 -0700 

On 09/04/2021 16:53, Juergen Landwehr wrote:

Hi,
we are developing an application in go and use the "go-mod" bb-class from poky. This works fine. However, the problem is, that the dependencies in go.mod are now fetched in the compile phase and not in the fetch phase. 


Alexander (whom you cc'ed here as well) wrote a long time ago on the 
mailing list[1] about this stuff.



We have a couple of issues with those "modern" languages like go, which 
behave quite differently from good old Unix stuff. So the paradigm on 
which the whole Bitbake/OpenEmbedded/Yocto system was built does not 
quite apply for those.



Don't get me wrong, you can also do stupidities like git clone via make 
or cmake, but this is most likely not the way those tools should be used.


1) "Guaranteed __NOT__ reproducible builds"(C)


Go pulls in dependencies by itself, which might explain why it's in the 
compile phase and not it the fetch phase.



This leads to many interesting issues, like "guaranteed __NOT__ 
reproducible builds"(C). The problem is, that you don't have any 
influence on dependencies of dependencies. Someone changes somewhere a 
dependency on github and the party starts.



1.1) One sane solution to "please give me always the same input" is what 
Konrad already mentioned in combination with a local golang proxy.


2) Open Source License Compliance


If you pull in all those funny dependencies and also link things 
statically, like with go, Open Source License Compliance is getting very 
interesting.



People typically just use the license of the top level "main" entry 
point. In reality you would need to check all the dependency tree for 
licenses. You should also check if it's legally allowed to combine the 
licenses and in case it's allowed what are implications of GPLvx, 
LGPLv2, LGPLv3 without exceptions for your product.


[1] https://www.yoctoproject.org/pipermail/yocto/2017-March/035028.html

Regards,

Robert

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#53079): https://lists.yoctoproject.org/g/yocto/message/53079
Mute This Topic: https://lists.yoctoproject.org/mt/81968964/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to