On Mon, 13 Jan 2025 10:40:30 +0100 Florian Schmaus <f...@gentoo.org> wrote:
> On 12/01/2025 13.56, Michał Górny wrote: > > Emit a QA warning suggesting the use of crate tarball, when the > > package in question uses 300 crates or more. Such a long crate > > lists cause ebuilds and Manifests to grow very fast, causing > > significant space consumption on end user systems (including users > > who are not using the package in question) and git history growth. > > On top of that, fetching that many crates takes significant time. > > > > The number of 300 is pretty arbitrary, chosen approximately to match > > Manifests that are over 100 KiB in size. We should probably look > > into lowering in the future, as more packages are transitioned. > Thanks for your proposal. I know you wrote it because Gentoo is > important to you. > > I am sorry, however, but the arbitrary limit you propose is harmful, > and its necessity is questionable. Its worth pointing out that is already being done in Gentoo, see dev-util/maturin for one example. > > It is unnecessary, at least in its current form, because the size > growth of Gentoo's package repository is manageable. See the previous > analysis for EGO_SUM [1]. > > What is more worrisome, however, is that it is harmful. > > First, switching from individual crates to a single crate tarball > disallows inter-package crate archive reuse. Often, users will > already have the required crates downloaded because another installed > package used them. With an artificial create count limit, users must > download rather large crate tarballs, causing unnecessary traffic and > increasing the disk space on Gentoo's mirrors and end-user systems. > The crate tarballs quickly eat away the saved disk space in the > ebuild repository. > > Even worse, crate tarballs negatively impact the security of Gentoo > users as they make it harder to audit ebuilds, and third-party crate > tarballs add a further distinct party that can inject malicious code. > Considering the recent supply chain attacks, this alone is a > show-stopper. > > Why is this warning suddenly necessary? Did a user run into an issue > caused by more than 300 entries? > > - Flow > > 1: > https://public-inbox.gentoo.org/gentoo-dev/6ed0f286-f9eb-9e93-4fec-296646f79...@gentoo.org/ > >