GNU bug report logs - #51352
Matterbridge contained a lot of vendored code

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51352 in the body.
You can then email your comments to 51352 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: bug-guix <at> gnu.org
Subject: Matterbridge contained a lot of vendored code
Date: Sat, 23 Oct 2021 16:57:02 +0200

[Message part 1 (text/plain, inline)]

Hi,

When I sent the patch adding matterbridge to Guix, I only notified that
I didn't know if it contained vendored code or not at the last moment
(after the patch was sent, during the discussion about it, and before
it was merged).

The issue is that I didn't know go at all and more specifically I didn't
know its the compilation system worked. So I managed to create a
package for matterbridge by looking at how it was done for other go
packages.

After learning more about how go compilation worked, I found out that
matterbridge contained a lot of vendored code.

And Guix explicitly wants to avoid bundles code. In the "16.6 Submitting
Patches" section of the manual[1], we have:
> 6. Make sure the package does not use bundled copies of software
> already available as separate packages.
And here while most dependencies are not already packaged, some are,
and I guess that I should read between the lines and conclude that all
the matterbridge dependencies should rather be packaged.

So the question is what should we do about that. 

As I understand with the go build system, or you vendor all
dependencies, or you vendor none, and I've not yet managed to find a
way to workaround that yet in Guix (to do a progressive unvendoring).

So instead I've started working on unvendoring matterbridge[2]
completely, but if we go this route, there are more than 500
dependencies.

To do that I first used the following command:
    guix import go -r github.com/42wim/matterbridge

I then started looking at each package definition that Guix didn't
manage to detect the license of, and I read the licenses to find if
they were free software. All the licenses I read were FSDG compliant.
Usually they had some extra text indicating the provenance of the code
or they would have multiple free software licenses.

Then I started adding packages for the dependencies that guix import go
didn't manage to find.

Theses are repositories that are being forked from the official ones
for a reason or another.

I've not finished that yet, but I still think it was a good idea to
open a bug report as I've now more understanding of the problem.

Given the huge amount of dependencies I was wondering what was the best
approach here:
- Would it makes sense to remove matterbridge from Guix, or should we
  fix it instead?
- If we fix it by packaging each dependencies, would it be ok if that
  is done step by step, like if dependencies are packaged and patches
  for them are sent, without necessarily a way to seriously test if
  the packaged dependency work until they are used by other software
  (like matterbridge)?

Also when I'll manage to update matterbridge[3] how should we deal with
such amount of packages? Would I need to send one (generated) patch for
the upgrade of each package?

I also guess that sticking as much as possible to what Guix import go
generates would help in situations like that as it would make the
maintenance faster.

References:
-----------
[1]https://guix.gnu.org/manual/en/guix.html#Submitting-Patches
[2]https://git.replicant.us/contrib/GNUtoo/infrastructure/guix/log/?h=matterbridge-unvendor
[3]Right now there is a compilation issue that I didn't manage to fix,
  even with help from #guix).

Denis.

[Message part 2 (application/pgp-signature, inline)]

Message #8 received at 51352 <at> debbugs.gnu.org (full text, mbox):

From: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>, 51352 <at> debbugs.gnu.org
Cc: Mathieu Othacehe <othacehe <at> gnu.org>
Subject: Re: Matterbridge contained a lot of vendored code
Date: Sat, 23 Oct 2021 18:43:37 +0200

Hi,

Am Samstag, den 23.10.2021, 16:57 +0200 schrieb Denis 'GNUtoo' Carikli:
> Hi,
> 
> When I sent the patch adding matterbridge to Guix, I only notified
> that I didn't know if it contained vendored code or not at the last
> moment (after the patch was sent, during the discussion about it, and
> before it was merged).
> 
> The issue is that I didn't know go at all and more specifically I
> didn't know its the compilation system worked. So I managed to create
> a package for matterbridge by looking at how it was done for other go
> packages.
> 
> After learning more about how go compilation worked, I found out that
> matterbridge contained a lot of vendored code.
Judging from the original issue, you did note that guideline and that
you were unsure about the "under the hood" stuff, which imo should have
prompted a closer look.  CC'd Mathieu to check whether pushing it
regardless was intentional.

> And Guix explicitly wants to avoid bundles code. In the "16.6
> Submitting Patches" section of the manual[1], we have:
> > 6. Make sure the package does not use bundled copies of software
> > already available as separate packages.
> And here while most dependencies are not already packaged, some are,
> and I guess that I should read between the lines and conclude that
> all the matterbridge dependencies should rather be packaged.
> 
> So the question is what should we do about that. 
> 
> As I understand with the go build system, or you vendor all
> dependencies, or you vendor none, and I've not yet managed to find a
> way to workaround that yet in Guix (to do a progressive unvendoring).
> 
> So instead I've started working on unvendoring matterbridge[2]
> completely, but if we go this route, there are more than 500
> dependencies.
> 
> To do that I first used the following command:
>     guix import go -r github.com/42wim/matterbridge
> 
> I then started looking at each package definition that Guix didn't
> manage to detect the license of, and I read the licenses to find if
> they were free software. All the licenses I read were FSDG compliant.
> Usually they had some extra text indicating the provenance of the
> code or they would have multiple free software licenses.
> 
> Then I started adding packages for the dependencies that guix import
> go didn't manage to find.
It's good that you've started.  Perhaps you might want to illustrate
the dependency "tree" (assuming it is one) or graph to roughly indicate
how much needs to be done and at which points we could cut off portions
of the DAG to process as batches.

> Theses are repositories that are being forked from the official ones
> for a reason or another.
> 
> I've not finished that yet, but I still think it was a good idea to
> open a bug report as I've now more understanding of the problem.
> 
> Given the huge amount of dependencies I was wondering what was the
> best approach here:
> - Would it makes sense to remove matterbridge from Guix, or should we
>   fix it instead?
I'll let Mathieu decide that one.

> - If we fix it by packaging each dependencies, would it be ok if that
>   is done step by step, like if dependencies are packaged and patches
>   for them are sent, without necessarily a way to seriously test if
>   the packaged dependency work until they are used by other software
>   (like matterbridge)?
Ideally, those packages would at least have a working test suite, but I
understand that such concerns are not always valid in the industry :)
As noted before, cutting off branches of the dependency DAG at
reasonable points and committing them in batches sounds like a good
idea to me.  No one wants to review a 500 commit bomb.

> Also when I'll manage to update matterbridge[3] how should we deal
> with such amount of packages? Would I need to send one (generated)
> patch for the upgrade of each package?
One patch per package, plus one to fix the matterbridge package.

> I also guess that sticking as much as possible to what Guix import go
> generates would help in situations like that as it would make the
> maintenance faster.
The importers exist to make your life easier, but they're not
omniscient.  Please do exercise caution when dealing with them :)

Cheers,
Liliana

Message #11 received at 51352 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
Cc: 51352 <at> debbugs.gnu.org
Subject: Re: bug#51352: Matterbridge contained a lot of vendored code
Date: Sat, 23 Oct 2021 15:49:28 -0400

On Sat, Oct 23, 2021 at 04:57:02PM +0200, Denis 'GNUtoo' Carikli wrote:
> Given the huge amount of dependencies I was wondering what was the best
> approach here:
> - Would it makes sense to remove matterbridge from Guix, or should we
>   fix it instead?

There's no need to remove it.

Vendoring, or bundling, is not a matter of software freedom, but rather
about maintainability or transparency.

With a bundled dependency graph, the Guix tools for inspecting and
manipulating the dependency graph do not work. But, we already bundle
the dependencies of some other Go packages, and every Rust package does
not work with the Guix dependency graph tooling.

Message #16 received at 51352-done <at> debbugs.gnu.org (full text, mbox):

From: Sharlatan Hellseher <sharlatanus <at> gmail.com>
To: 51352-done <at> debbugs.gnu.org
Subject: Matterbridge contained a lot of vendored code
Date: Wed, 11 Dec 2024 21:18:04 +0000

[Message part 1 (text/plain, inline)]

Hi,

Closing this one as matterbridge on the way of unbundle all packages
from vendor to make it possible to upgrade. Vendor is no longer provided
in the latest version of the package.

See commit 1dd7a47b652f9533290abb17261476fafaf92eb7.

--
Thanks,
Oleg

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.