From owner-freebsd-mono@freebsd.org Tue Sep 5 19:25:47 2017 Return-Path: Delivered-To: freebsd-mono@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5DFFFE1AD9B for ; Tue, 5 Sep 2017 19:25:47 +0000 (UTC) (envelope-from naylor.b.david@gmail.com) Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F20D77277E; Tue, 5 Sep 2017 19:25:45 +0000 (UTC) (envelope-from naylor.b.david@gmail.com) Received: by mail-wr0-x22e.google.com with SMTP id a43so10569776wrc.0; Tue, 05 Sep 2017 12:25:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:organization:user-agent :in-reply-to:references:mime-version; bh=NlhgwXv7fNnvY7v2efyJTh7nLsYTavc6IsBDgEhznzc=; b=RVJ13gtYn2nUjw+noAkrRfH5nE6524i/f2P0YSzdqweVT4HHe9iJ2hlgmzULKDbFAa Hf0ClbVwnwmaU6I6dk5X8bx+A/FTBHsY6kFeGPPkRzZ5Zo3mbuOgCzCzy/AyKYru8xxi TmvL+X+JBDnYI7ZTWexSJ0BHN1z8MSYDhv035EoTAPHjry+8EUBxSGzY2fn/a+gTdupG E5v2U3lcYcJYqMgKrUeB3hOBOjXGvVQirB3TlRxJzsJimSfjM1iWZWwUn0GT83atZp5s elDi6+t7qNjnVAS0dhVXN6YE+K+jXu+lzm68NOG3raQBacww0jUdVFYGwzm8Wx9o7pow cBdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:organization :user-agent:in-reply-to:references:mime-version; bh=NlhgwXv7fNnvY7v2efyJTh7nLsYTavc6IsBDgEhznzc=; b=R095Z9JjO+gwDsLmZGhI772q7QavGEATQyx5Lfz4X02OyGIjrcF5aYKQCwSu2vRqC6 YQmrXKdcKkCaF6H7+PbmEM4KJ8or+VvyLXBQGtNtfiYlCjb8k9vcx/kTJAAQL8vOoM98 l2WI4oUVv5UOVU4ev5ispOmU5nro+t7eCWsOCpPLHoUXTawNxDytXqzNa01Z0ddrdVeM osuIZvfaS8Nw7EjToo3HpJOAriHgMcwu/GgP3JhOZ7SFjQpnjAkX3eDjQJk47LTPRDlY EIKyOVUM3sx8f0MuPOj+4lIoCeJSK7h7P0diDwJ+OqzYGi4PCAHaQBa8zwsBySS+ETl+ yWuQ== X-Gm-Message-State: AHPjjUjgryu6axLOzfWjCCiPWntcKVFTJvXIqLh7XG+ohkciVflvF053 M43ENj0G6V2HBpqRhP4= X-Google-Smtp-Source: ADKCNb7xODi6bdRv+m78JQrnEZ4cyhBguaDT2Rjy70VyXAJ8atuN6Xe4bqySSWfQz15gwKWwij65Cg== X-Received: by 10.223.128.33 with SMTP id 30mr70365wrk.9.1504639543374; Tue, 05 Sep 2017 12:25:43 -0700 (PDT) Received: from dragon.local ([41.144.114.114]) by smtp.googlemail.com with ESMTPSA id d5sm1319636wma.22.2017.09.05.12.25.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Sep 2017 12:25:42 -0700 (PDT) From: David Naylor To: freebsd-mono@freebsd.org Cc: Russell Haley , Robert Alegrid , Romain =?ISO-8859-1?Q?Tarti=E8re?= Subject: Re: Update on porting mono 5 Date: Tue, 05 Sep 2017 21:25:39 +0200 Message-ID: <1557586.GGzvBQ0jK6@dragon.local> Organization: Private User-Agent: KMail/4.14.10 (FreeBSD/11.1-RELEASE-p1; KDE/4.14.30; amd64; ; ) In-Reply-To: References: <17078253.u2dgjZK1Z6@dragon.local> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2401343.i3Q0SDaCj7"; micalg="pgp-sha512"; protocol="application/pgp-signature" X-BeenThere: freebsd-mono@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Mono and C# applications on FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2017 19:25:47 -0000 --nextPart2401343.i3Q0SDaCj7 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Saturday, 2 September 2017 07:40:28 Russell Haley wrote: > On Sat, Sep 2, 2017 at 4:55 AM, Robert Alegrid wrote: > >>Another problem with nugets packages is that you only get binaries, > >>right? That means that is something goes really wrong, there is no way > >>to audit the source code of what led to disaster. The problem is > >>similar with the few Java projects I gave a look at. My feeling is that > >>this is even worst :-( Ruby being interpreted, there is no such > >>problems. > >> > > NuGet packages have in their manifest a field to specify where the source > > code lives. However, since it's optional and is just a URL to the > > repository, it probably doesn't help much for this use case. > > Is this coming up because of the use of Nuget during the build process > or is it because of general concern for the user? The first issue is a practical one: with ports now requiring tens of nuget packages (and lock files generated by nuget - so we cannot cheat) it is becoming an issue with porting. The second issue is more a philosophical one around concern for the user. The discussion below covers this concern and doesn't change the immediate plans for handling nuget packages (as bundled dependencies). > As a professional DotNet developer, I agree with Mr. Alegrid for the > most part. Nuget is designed as a binary tool because DotNet is a > binary based system. It comes from a user mindset, not an opensource > mindset. Because of that, I question why we are having this > discussion. Is it not the decision of the user/developer how they > would like to use their package manager? Also, it is their choice if > they prefer to use sources. I sometimes do both. Stable packages from > Nuget and others from source. The question here is how easy is it for the developer to change the binaries they consume? A good way to illustrate the problem is the Heart Bleed bug in OpenSSL. Currently on FreeBSD the libopenssl.so file is centrally accessible, so to fix the bug just requires fixing the centrally stored libopenssl.so file. However, if all programs that used libopenssl.so had their own local copy (say statically compiled, or otherwise) the fix would be a headache. In the land of Ports, we would need to patch (or wait for an update of) every single port that used OpenSSL. This is obviously a problematic situation to be in. Philosophically it is one of the differences between Windows (everyone bundles all their dependencies) and Unix [1] (all dependencies are centrally available). > Nuget is designed for local, per project resources. It is particularly > effective when developing across many developers as it will go and get > the packages for you automatically at build time (wicked cool feature, > which seamlessly mixes source with binary distribution). Items that > are supposed to live system wide are to be stored in the General > Assembly Cache (GAC) and should be designed to be put there. You can > get Nuget to drop things in the GAC but have not used this feature. > The GAC is designed around large scale software deployments which, > sadly, I don't think will ever apply to mono on FreeBSD. In a limited sense, nuget is redundant on FreeBSD thanks to the Ports Collection and pkg - but I do see the need on Windows and more generally in the .NET ecosystem. Do you perhaps have any links that detail how nuget can store dlls in the GAC? > Worrying about per-port repositories for Nuget is not a thing because > the manifest within DotNet applications decides what runtime version > of the assembly to use at build time so it is necessarily per-port. > Also, DotNet can have hard or soft links (I forget the terminology) to > required assemblies in the sense they can specify to use any version > or a specific version, and can specify if the assemblies require to be > signed (i.e. verified by the authors credentials against a trusted > list). The GAC handles versioning for system level assemblies and if > you overwrite a required version in your local repository it's a > development error that you need to sort yourself. Unfortunately, we do need to worry about per ports dependencies. In the practical case it is around the need to download the nuget packages within the Ports Collections framework (so we get security protection, etc), before the build phase. Ports are not allowed interest access during build. Regards [1] I know PC-BSD, for a while at least, also bundles all dependencies within a PBI? --nextPart2401343.i3Q0SDaCj7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEElI7FEaJ/AwLnmbU6rWP6jday2lUFAlmu+jNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk0 OEVDNTExQTI3RjAzMDJFNzk5QjUzQUFENjNGQThERDZCMkRBNTUACgkQrWP6jday 2lV8VBAAytK0rhZtNPbzvjk8eLyO/XUAGRsKJfVVIs/11XgsO1oAysfyidqNeVpP M2nyErWKHY37HNXVhBqMrw4fD03e8T30JWUdevVemf//phVjbx1YKTrHtKUydWAQ 8jKIYcHQs3lg/5wkLNFpdbqsmDHFNGAUat/WaIKal2LeJ1KSJ0cUpHQ4zQ3I+OwW f0pTSLJ8/m/7wg474Mun5+sXgszk+lg8yNgOYM2VvQDkAaXOlp8tS4FdKGSvLtp7 ViFdjcfgeItneNrU7qgOwN2/acXWLCIb3lVTCys2BtLskzuMx+K0ZngQOYJo7f2t kMCjwC2zW4D9jlcV99zDYarUK057aYgFOHfQcW4HiheR0tliWhN4A08Ir+qFerwt 8kstQVczoBtOYcXvda9Yz9s1B6o3LpPvgzJ+O92a1mKw3AzqCIc+NjRhPk0soUSv Jt34BbA4lvxMQNJK8ndt78JGn6H2ou70/H4yhzU8zYCeyL9PMkRUuvtClvi/mVoP bmG/4suQxJhjbOgynaxwz2hNU7q/J0ADDMba6y08ZvQaLvmqlx4esXoWaLlgOJw9 uJQVboOSv/bsONqdb692+NCDP3/j9YqbeS5ckT37Rn38BiqyD2R9bjbtLi2UPeSs A3tP2SPwwT/iUOzHDY3f9u0ODXdAV8h0RlwANTGcD3t7B5Q2tyU= =jQpT -----END PGP SIGNATURE----- --nextPart2401343.i3Q0SDaCj7--