| Sysop: | Amessyroom |
|---|---|
| Location: | Fayetteville, NC |
| Users: | 28 |
| Nodes: | 6 (0 / 6) |
| Uptime: | 48:25:24 |
| Calls: | 422 |
| Files: | 1,024 |
| Messages: | 90,422 |
+ if [[ ${#crates[@]} -ge 300 ]]; then
+ eqawarn "This package uses a very large number of CRATES. Please provide" + eqawarn "a crate tarball instead and fetch it via SRC_URI. You can use" + eqawarn "'pycargoebuild --crate-tarball' to create one." + fi
12.01.2025 13:15, Agostino Sarubbo пишет:In the context of automatically filing bugs, sometimes we also want to
On domenica 12 gennaio 2025 13:56:39 CET Michał Górny wrote:
+ if [[ ${#crates[@]} -ge 300 ]]; then
+ eqawarn "This package uses a very large number of
CRATES. Please provide" + eqawarn "a crate tarball
instead and fetch it via SRC_URI. You can use" +
eqawarn "'pycargoebuild --crate-tarball' to create one." + fi
I would like to suggest to use "QA Notice: " prefix if you want to have them reported.
Agostino
Side question: maybe eqawarn should add such prefix automatically?
Emit a QA warning suggesting the use of crate tarball, when the packageThanks for your proposal. I know you wrote it because Gentoo is
in question uses 300 crates or more. Such a long crate lists cause
ebuilds and Manifests to grow very fast, causing significant space consumption on end user systems (including users who are not using
the package in question) and git history growth. On top of that,
fetching that many crates takes significant time.
The number of 300 is pretty arbitrary, chosen approximately to match Manifests that are over 100 KiB in size. We should probably look into lowering in the future, as more packages are transitioned.
First, switching from individual crates to a single crate tarball
disallows inter-package crate archive reuse. Often, users will already
have the required crates downloaded because another installed package
used them. With an artificial create count limit, users must download
rather large crate tarballs, causing unnecessary traffic and increasing
the disk space on Gentoo's mirrors and end-user systems. The crate
tarballs quickly eat away the saved disk space in the ebuild repository.
Even worse, crate tarballs negatively impact the security of Gentoo
users as they make it harder to audit ebuilds, and third-party crate tarballs add a further distinct party that can inject malicious code. Considering the recent supply chain attacks, this alone is a show-stopper.
Why is this warning suddenly necessary? Did a user run into an issue
caused by more than 300 entries?
On 12/01/2025 13.56, Michał Górny wrote:
Emit a QA warning suggesting the use of crate tarball, when the
package in question uses 300 crates or more. Such a long crate
lists cause ebuilds and Manifests to grow very fast, causing
significant space consumption on end user systems (including users
who are not using the package in question) and git history growth.
On top of that, fetching that many crates takes significant time.
The number of 300 is pretty arbitrary, chosen approximately to match Manifests that are over 100 KiB in size. We should probably lookThanks for your proposal. I know you wrote it because Gentoo is
into lowering in the future, as more packages are transitioned.
important to you.
I am sorry, however, but the arbitrary limit you propose is harmful,
and its necessity is questionable.
It is unnecessary, at least in its current form, because the size
growth of Gentoo's package repository is manageable. See the previous analysis for EGO_SUM [1].
What is more worrisome, however, is that it is harmful.
First, switching from individual crates to a single crate tarball
disallows inter-package crate archive reuse. Often, users will
already have the required crates downloaded because another installed
package used them. With an artificial create count limit, users must
download rather large crate tarballs, causing unnecessary traffic and increasing the disk space on Gentoo's mirrors and end-user systems.
The crate tarballs quickly eat away the saved disk space in the
ebuild repository.
Even worse, crate tarballs negatively impact the security of Gentoo
users as they make it harder to audit ebuilds, and third-party crate tarballs add a further distinct party that can inject malicious code. Considering the recent supply chain attacks, this alone is a
show-stopper.
Why is this warning suddenly necessary? Did a user run into an issue
caused by more than 300 entries?
- Flow
1: https://public-inbox.gentoo.org/gentoo-dev/6ed0f286-f9eb-9e93-4fec-296646f79871@gentoo.org/
On Mon, 13 Jan 2025 10:40:30 +0100
Florian Schmaus <flow@gentoo.org> wrote:
On 12/01/2025 13.56, Michał Górny wrote:
Emit a QA warning suggesting the use of crate tarball, when the
package in question uses 300 crates or more. Such a long crate
lists cause ebuilds and Manifests to grow very fast, causing
significant space consumption on end user systems (including users
who are not using the package in question) and git history growth.
On top of that, fetching that many crates takes significant time.
The number of 300 is pretty arbitrary, chosen approximately to match Manifests that are over 100 KiB in size. We should probably lookThanks for your proposal. I know you wrote it because Gentoo is
into lowering in the future, as more packages are transitioned.
important to you.
I am sorry, however, but the arbitrary limit you propose is harmful,
and its necessity is questionable.
Its worth pointing out that is already being done in Gentoo, see dev-util/maturin for one example.
It certainly feels like all of a sudden to me. At least, as far as I understand, there is no trigger event or similar. I am sorry, but
instead, it appears that you have decided that today is the day when we
need this.