Precedence: list
MIME-Version: 1.0
References: <1445177115-5446-1-git-send-email-christian@kampka.net> <20151104091345.1f8aba66@ncopa-desktop.alpinelinux.org>
In-Reply-To: <20151104091345.1f8aba66@ncopa-desktop.alpinelinux.org>
From: Christian Kampka <christian@kampka.net>
Date: Wed, 04 Nov 2015 11:32:16 +0000
Message-ID: <CADq4isQE7Rdsyff3tikOzKwL-wyRz=-aqh_BAE=JhXLeQ+yxuA@mail.gmail.com>
Subject: Re: [alpine-aports] [PATCH 1/2] testing/glock: new aport
To: Natanael Copa <ncopa@alpinelinux.org>
Cc: alpine-aports@lists.alpinelinux.org
Content-Type: multipart/alternative; boundary=001a11c2a99661bc600523b55da8

--001a11c2a99661bc600523b55da8
Content-Type: text/plain; charset=UTF-8

>
> On Sun, 18 Oct 2015 16:05:14 +0200
> Christian Kampka <christian@kampka.net> wrote:
>
> > https://github.com/robfig/glock
> >
> > Glock is a command-line tool to lock dependencies to specific revisions,
> > using a version control hook to keep those revisions in sync across a
> team.
> > ---
> >  testing/glock/APKBUILD | 67
> ++++++++++++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 67 insertions(+)
> >  create mode 100644 testing/glock/APKBUILD
>
> I used the snapshot function and uploaded the tarball.
>
> However, the tarball I get must be different from the one you get.
>
> >>> glock: Checking sha512sums...
> glock-0.0.20151018.tar.gz: FAILED
> sha512sum: WARNING: 1 of 1 computed checksums did NOT match
> Because the remote file above failed the sha512sum check it will be
> deleted.
> Rebuilding will cause it to re-download which in some cases may fix the
> problem.
> Deleting: glock-0.0.20151018.tar.gz
> >>> ERROR: glock: all failed
>
>
> I suspect that go pulls in whatever happens to the latest git at that
> point of some dependency.


That is to be expected, actually, since the tarball is gzip, so no two
snapshots, although the may have identical content, will have different
checksums due to the fact that the gzip header contains (amongst other
things) a timestamp.
A simple solution would be to refactor the patch to use uncompressed tar as
the archive format, which will avoid this issue.


> Also, they have not made any releases, which indicates that 1) program
> is not ready for packaging, 2) program is not supposed to be packaged.
>

I am not keen on packaging this program either. It is needed as a build
dependency of the dockerize package.
Since the dockerize package has a snapshot function as well (for dealing
with dependencies), I could easily remove this package by building glock
once in the dockerize snapshot function and apply it to generate the
snapshot. Since glock is not used for anything else, I think this might
also be a feasible solution.

I am open for suggestions how do properly package Go applications.
>
> Did anyone bring up this for Go community? I have the impression that
> go developers wants you to use the Go package manager.
>
> Maybe we should just let the alpine linux users do that?


Sadly, there is no "one" Go package manager, there are several attempts to
solve this problem [1]. Glock is an attempt that has never really taken of,
so rarely onyone uses it, but the dockerize author has not ported his
program to anything like Godeps (which seems to be the most common choice
atm).

I don't think a good solution will present itself unless the go community
can agree on a sane way of handling dependencies first.

Cheers,
Christian

[1] https://github.com/golang/go/wiki/PackageManagementTools

--001a11c2a99661bc600523b55da8
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quot=
e" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">=
On Sun, 18 Oct 2015 16:05:14 +0200<br>
Christian Kampka &lt;<a href=3D"mailto:christian@kampka.net" target=3D"_bla=
nk">christian@kampka.net</a>&gt; wrote:<br>
<br>
&gt; <a href=3D"https://github.com/robfig/glock" rel=3D"noreferrer" target=
=3D"_blank">https://github.com/robfig/glock</a><br>
&gt;<br>
&gt; Glock is a command-line tool to lock dependencies to specific revision=
s,<br>
&gt; using a version control hook to keep those revisions in sync across a =
team.<br>
&gt; ---<br>
&gt;=C2=A0 testing/glock/APKBUILD | 67 ++++++++++++++++++++++++++++++++++++=
++++++++++++++<br>
&gt;=C2=A0 1 file changed, 67 insertions(+)<br>
&gt;=C2=A0 create mode 100644 testing/glock/APKBUILD<br>
<br>
I used the snapshot function and uploaded the tarball.<br>
<br>
However, the tarball I get must be different from the one you get.<br>
<br>
&gt;&gt;&gt; glock: Checking sha512sums...<br>
glock-0.0.20151018.tar.gz: FAILED<br>
sha512sum: WARNING: 1 of 1 computed checksums did NOT match<br>
Because the remote file above failed the sha512sum check it will be deleted=
.<br>
Rebuilding will cause it to re-download which in some cases may fix the pro=
blem.<br>
Deleting: glock-0.0.20151018.tar.gz<br>
&gt;&gt;&gt; ERROR: glock: all failed<br>
<br>
<br>
I suspect that go pulls in whatever happens to the latest git at that<br>
point of some dependency.</blockquote><div><br></div><div>That is to be exp=
ected, actually, since the tarball is gzip, so no two snapshots, although t=
he may have identical content, will have different checksums due to the fac=
t that the gzip header contains (amongst other things) a timestamp.</div><d=
iv>A simple solution would be to refactor the patch to use uncompressed tar=
 as the archive format, which will avoid this issue.</div><div>=C2=A0</div>=
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Also, they have not made any releases, which indicates that 1) program<br>
is not ready for packaging, 2) program is not supposed to be packaged.<br><=
/blockquote><div><br></div><div>I am not keen on packaging this program eit=
her. It is needed as a build dependency of the dockerize package.</div><div=
>Since the dockerize package has a snapshot function as well (for dealing w=
ith dependencies), I could easily remove this package by building glock onc=
e in the dockerize snapshot function and apply it to generate the snapshot.=
 Since glock is not used for anything else, I think this might also be a fe=
asible solution.</div><div><br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I am open for suggestions how do properly package Go applications.<br>
<br>
Did anyone bring up this for Go community? I have the impression that<br>
go developers wants you to use the Go package manager.<br>
<br>
Maybe we should just let the alpine linux users do that?</blockquote><div><=
br></div><div>Sadly, there is no &quot;one&quot; Go package manager, there =
are several attempts to solve this problem [1]. Glock is an attempt that ha=
s never really taken of, so rarely onyone uses it, but the dockerize author=
 has not ported his program to anything like Godeps (which seems to be the =
most common choice atm).</div><div><br></div><div>I don&#39;t think a good =
solution will present itself unless the go community can agree on a sane wa=
y of handling dependencies first.</div><div><br></div><div>Cheers,</div><di=
v>Christian</div><div><br></div><div>[1] <a href=3D"https://github.com/gola=
ng/go/wiki/PackageManagementTools">https://github.com/golang/go/wiki/Packag=
eManagementTools</a>=C2=A0</div></div></div>

--001a11c2a99661bc600523b55da8--


---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---