Closed chris-stones closed 11 months ago
An alternative is to use the pre-compiled RPM... but this is a last resort for gentoo users.
@chris-stones just FYI: Here is a link where you can download the latest RPMs of IVPN apps: https://www.ivpn.net/apps-linux/#binaries
Adding vendor
folders to Go projects does not solve your original problem. The daemon
project uses some third-party external projects. Therefore, when compiling the daemon
project, those third-party external projects also need to be compiled. The sources of those projects are fetched from the internet. In other words, you need to have internet connectivity to build the entire project.
Moreover, compiling UI
projects also requires internet connectivity to download dependent Node modules.
For now, I do not plan to use vendor folders since it does not solve the problem and brings some disadvantages related to project maintenance.
I am closing the ticket. Please feel free to reopen it if you think it is worth it.
Okay, understood, no problem. I wont re-open. However, I feel you are mistaken.
The 3rd party programs that you download and compile for the daemon (obs4proxy etc) are supported by Gentoo... So, we dont need to wory about those.
Im presently using the cli and daemon on a gentoo system with the changes I proposed.
The code compiles, and installs in a network-less sandbox.
As for the UI, yes, you are correct, I request no changes to that..
see the below gentoo package for the daemon... see that we use gentoo packages for the 3rd party libraries.
The part i dont like, is the need for the "SOME_UNTRUSTED_STRANGERS_IP_ADDRESS" in the SRC_URI
```EAPI=8
inherit go-module systemd
DESCRIPTION="Official IVPN cli"
HOMEPAGE="https://www.ivpn.net/ https://github.com/ivpn"
SRC_URI="https://github.com/ivpn/desktop-app/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz"
SRC_URI+=" https://${SOME_UNTRUSTED_STRANGERS_IP_ADDRESS}/${P}-vendor.tar.xz"
LICENSE="GPL-3"
KEYWORDS="~amd64"
SLOT="0"
IUSE="systemd"
RESTRICT="primaryuri"
RDEPEND="net-proxy/lyrebird
net-dns/dnscrypt-proxy
net-vpn/wireguard-tools
net-vpn/openvpn
net-wireless/wireless-tools
sys-process/lsof
sys-libs/glibc"
DEPEND="sys-libs/glibc"
BDEPEND=">=dev-lang/go-1.18"
IDEPEND="net-proxy/lyrebird
net-dns/dnscrypt-proxy
net-vpn/wireguard-tools"
S="${WORKDIR}/desktop-app-${PV}/daemon"
src_compile() {
# version info variables
VERSION="${PV}"
DATE="$(date "+%Y-%m-%d")"
COMMIT="${PV}_stamped"
ego build -trimpath -ldflags "-s -w -X github.com/ivpn/desktop-app/daemon/version._version=$VERSION -X github.com/ivpn/desktop-app/daemon/version._commit=$COMMIT -X github.com/ivpn/desktop-app/daemon/version._time=$DATE"
}
src_install() {
mkdir -p "${D}/opt/ivpn/etc" || die
newbin daemon ivpn-service
insinto "opt/ivpn/etc"
insopts -m700
doins "References/Linux/etc/client.down"
doins "References/Linux/etc/client.up"
doins "References/Linux/etc/firewall.sh"
doins "References/Linux/etc/splittun.sh"
insopts -m600
doins "References/common/etc/servers.json"
insopts -m400
doins "References/common/etc/ca.crt"
doins "References/common/etc/ta.key"
doins "References/common/etc/dnscrypt-proxy-template.toml"
dosym "$(which wg-quick)" "opt/ivpn/wireguard-tools/wg-quick"
dosym "$(which wg)" "opt/ivpn/wireguard-tools/wg"
dosym "$(which obfs4proxy)" "opt/ivpn/obfsproxy/obfs4proxy"
dosym "$(which dnscrypt-proxy)" "opt/ivpn/dnscrypt-proxy/dnscrypt-proxy"
if use systemd; then
systemd_dounit "${FILESDIR}/ivpn-service.service"
else
newinitd "${FILESDIR}/ivpn.initd" ivpn
fi
default
}
I just looked at 351eeda29f2a3763b92776c4c8483f00572b6fc6.
I wasn't advocating adding the vendor folder to git.
I had imagined that this would be a 1 liner in the source tarball deploy script?
running go mod vendor
before creating and uploading the tarball?
But... yes.. if its more complicated than this, please ignore.. I suspect you might not have a massive gentoo customer base .. we are a rare breed :+1:
Thanks.
Feature request
A minor change to the release tarballs could make unofficial Gentoo packages easier to trust/verify.
include desktop-app-*/cli/vendor and desktop-app-*/daemon/vendor in release tarballs.
Description
Gentoo compiles and installs packages in a network-less sand box.
This is desirable, because we know only the declared sources are being downloaded.
No supply-chain attacks from missing package.locks, no malicious downloads from a deeply nested script, blah blah blah.
This means, that go cannot automatically fetch its dependencies during the compile phase.
The workaround, is to have a package maintainer run
go mod vendor
,Then, they upload the package somewhere, and share their ebuild with the community.
Gentoo doesn't officially support IVPN, so Gentoo users need to trust that this unknown community member didn't make any malicious modifications..
Describe the solution you'd like
Please include the vendor directory when you package release tarballs.
Then, the community ebuild needs to only reference your official release tarball.
This is much much easier to audit / trust.
Describe alternatives you've considered
An alternative is to use the pre-compiled RPM... but this is a last resort for gentoo users.