#139 Support vendoring
Opened a year ago by walters. Modified a year ago

Hi, filing this after I saw an IRC discussion. Because RHEL made a decision not to match the Fedora model of "exploded crate" dependencies but instead vendor, it pushed us in at least the CoreOS group and others to avoid doing it both ways and so vendor in Fedora too.

It'd be good if this project added support for that model, and we can also help build best practices around that.


That said, I personally think there's a much better approach, which is something like this: https://hackmd.io/8_EewOxeSqGuNYhPFx1rVg

Where instead of mapping crates into RPMs, we support a model that's more like a license-checked filtered subset of crates.io, and the buildsystem supports cargo build offline from that filtered subset. We could build from something more like a Dockerfile, and generate RPMs (or not) - i.e. this path makes things much better for those who want to build things in Fedora that aren't RPMs.

So you're propsing to run an alternative crate registry in koji, like there (previously?) was an alternative maven repository support in koji?

I'm going to put aside the whole comment there, and point out that @aplanas has been working on a PR to add support for vendoring stuff in #105. However, this will not change the policy for Fedora to recommend, support, or promote the usage of vendoring.

So you're propsing to run an alternative crate registry in koji, like there (previously?) was an alternative maven repository support in koji?

Yes. But a big difference here since then is we have containers and OSBS, so the role of Koji those builds is already much reduced - i.e. in OSBS we accept Dockerfile etc. which has nothing to do with RPM repos etc.

Note: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_bundled_dependencies

Basically, bundling crate dependencies in Rust packages is already forbidden for Fedora packages, unless it's imposslble to build packages otherwise. Firefox and Thunderbird are two cases. And there's one other package where the maintainer has ignored me and went for bundled dependencies anyway.

All of this discussion applies almost equally well to Go incidentally; GOPROXY can be used in much the same way as a crate mirror.

Login to comment on this ticket.

Metadata