search

opentofu / opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.
https://opentofu.org
Mozilla Public License 2.0
22.76k stars 878 forks source link

Vendor/tarball dependencies #1679

Open ghost opened 4 months ago

ghost commented 4 months ago

OpenTofu Version

N/A

Use Cases

Linux vendors who want to compile OpenTofu from source and want to provide reproducible builds often need to create a "dependency tarball". For example, the Gentoo manual writes the following:

If the software has a directory named vendor in its top level directory, the only thing you need to do is inherit the eclass. If it doesn't, you need to also create a dependency tarball and host it somewhere, for example in your dev space. It's recommended that a format supporting parallel decompression is used and developers should use higher levels of compression like '-9' for xz.

It would make it easier for Linux distros to integrate OpenTofu if we either vendored the dependencies or provided a separate tarball.

Attempted Solutions

The current OpenTofu ebuild references a tarball built by the package maintainer.

Proposal

We should either vendor the dependencies using go mod vendor (pretty standard procedure) or provide vendored tarballs with releases.

References

No response

cam72cam commented 4 months ago

There are existing workarounds for Gentoo as far as I am aware, but this could make their ebuild authors jobs easier and reduce the time to takes to get new OpenTofu releases out in their repo. Marking as needs-community-input and would appreciate input specifically from Gentoo users and contributors.