Re: Create influxdb package

To: Attila Fülöp <attila%fueloep.org@localhost>
Subject: Re: Create influxdb package
From: Jonathan Perkin <jperkin%joyent.com@localhost>
Date: Mon, 14 Jan 2019 09:20:15 +0000

* On 2019-01-14 at 09:07 GMT, Attila Fülöp wrote:

> On 1/14/19 9:22 AM, Jonathan Perkin wrote:
> > * On 2019-01-14 at 06:38 GMT, Attila Fülöp wrote:
> > 
> >> Basically `go build` takes care of that, it tracks, downloads and builds
> >> all dependencies as part of the build process. Go packages are linked
> >> statically, so once the binary is build we are set.
> > 
> > Right, this is completely incompatible with the way pkgsrc works.  You
> > have to ensure that all downloads are done up-front, which is what the
> > go-dep.mk infrastructure does.
> 
> Well, my pksrc knowledge is quite limited, so I can't see why this must
> be. Let me try this in real life, maybe I'll stumble over the obvious.

There are at least 3 reasons that immediately come to mind:

 - Security and repeatability.  We double checksum every source file
   to ensure that what we are building is exactly what was committed
   to pkgsrc.  Too often we encounter upstream packages that replace
   their source distfiles in-place (eww), or with things like npm you
   can end up pulling in minor updates (because the version wasn't
   pinned in package.json) that are compromised versions.  The
   security reasons here are obvious, but it's important to consider
   reproducible builds so that, with the right environment, you get
   identical bits no matter when the package was built.

 - Some pkgsrc users like to perform a full source download run first,
   and then build their packages on a machine that is offline.  This
   not only ensures the security of the distfiles, but also protects
   against malicious configure scripts that leak information.  There
   are also practical reasons here, for example if you have a single
   machine doing the downloads to NFS which is then shared to a bunch
   of private build machines.

 - From a practical point of view, "patch" comes before "build" in a
   package build, so any downloads performed during "build" won't be
   able to use the normal pkgsrc patching infrastructure.

There are probably others, but suffice to say that any downloads
during the "build" phase are completely forbidden.

-- 
Jonathan Perkin  -  Joyent, Inc.  -  www.joyent.com

Follow-Ups:
- Re: Create influxdb package
  - From: Attila Fülöp

References:
- Create influxdb package
  - From: Attila Fülöp
- Re: Create influxdb package
  - From: Jonathan Perkin
- Re: Create influxdb package
  - From: Attila Fülöp
- Re: Create influxdb package
  - From: Jonathan Perkin
- Re: Create influxdb package
  - From: Attila Fülöp
- Re: Create influxdb package
  - From: Jonathan Perkin
- Re: Create influxdb package
  - From: Attila Fülöp

Prev by Date: Re: Create influxdb package
Next by Date: Re: Create influxdb package
Previous by Thread: Re: Create influxdb package
Next by Thread: Re: Create influxdb package
Indexes:

Home | Main Index | Thread Index | Old Index