Avoid usage of github.com/mtrmac/gpgme #268
Comments
|
you can use build tag |
|
Yes, I've seen
I have not got this to work yet though. Also from a user point of view it would be nice, if the default would work for all OS types. That said, there is another problem with: The call to syscall.Stat_t is OS specific and returns different structs depending on the target OS. I guess that's an issue for storage. |
|
containers_image_openpgp tag aside, I still cannot compile this out of the box. mtrmac/gpgme is a defined dependency which gets downloaded into the vendor directory. When I then try to build, I get: So even if containers/image has some build tags to avoid the usage of gpgme, gpgme will cause compilation errors. The second error is the mentioned system specific call to syscall.Stat_t in containers/storage. |
The Though, AFAICT, the situation for macOS and Linux is pretty much the same: GPGME development libraries have to be installed. In neither it is a part of the mandatory base system, so it may need to be installed by the user. I suppose with Linux it may be a little easier when using a container to isolate a prepared build environment, but then a container runtime is not a part of the mandatory base system either… |
What exact command are you using to build this? This should only happen when the build tag is not present. (Alternatively, install a GPGME development library + headers, via
This is the same thing as containers/skopeo#310 , where the supposed fix containers/skopeo#331 lacks a macOS tester. Could you verify that PR works, please? If it does, we can update the vendored version in this repo similarly. |
Let me double check
Will do. Btw, I really would need this to cross compile to Windows as well. |
|
So there is the thing. If I do: If I then manually delete the mtrmac: storage issue aside, if I don't want to use gpgme, I not only have to specify the containers_image_openpgp tag, but I also need to make sure not to get the gpgme dependency. Using make vendor I will get it per default though. So at the very least this needs to be documented. In the REAMDE it says regarding gpgme:
So where is that really an issue. What is the use case for creating signatures? |
|
Updating to the latest version of storage by adding: to vendor.conf, gets me past compilation errors. |
Good catch, Also thanks for testing the storage update. I’ll work on on the necessary updates.
Well, a signature has to exist in order to be verifiable :) If you mean that your intended use of containers/image does not involve signing container images, sure, that’s not inherently required. Much of the library does not actually require the |
The version we use expects Linux-specific struct stat; per containers#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
And zounds of other dependencies. Use Gopkg.toml's 'ignored' [1] to
exclude, BoltDB, which comes in via:
github.com/containers/image/pkg/blobinfocache
github.com/boltdb/bolt
and github.com/docker/distribution/registry/storage/cache, which comes
in via:
github.com/containers/image/docker
github.com/docker/distribution/registry/client
github.com/docker/distribution/registry/storage/cache
because we don't use either the storage backend or the BoltDB
blob-info cache, but dep isn't checking at that level of granularity.
Runc was being pulled in from a few places for runc/libcontainer/user,
but we apparently don't need that either. Ideally the upstream
repositories would restructure to split these out into separate
packages (and/or dep will grow support for pruning by build tag [2]),
but until then, we can manually prune via 'ignored'.
Also ignore mtrmac/gpgme, because we only need signature verification
and we don't want to use CGO (because we want to be portable to other
operating systems, and we only need verification support, not signing
support [3]).
There may be more fat we can prune as well, but I got tired of looking
and gave up, even though ~50k lines of new code is pretty embarassing
for what is effectively just a handful of HTTPS requests and an
OpenPGP check.
Generated (after manually editing Gopkg.toml) with:
$ dep ensure
using:
$ dep version
dep:
version : v0.5.0-31-g73b3afe
build date : 2019-02-08
git hash : 73b3afe
go version : go1.10.3
go compiler : gc
platform : linux/amd64
features : ImportDuringSolve=false
[1]: https://golang.github.io/dep/docs/Gopkg.toml.html#ignored
[2]: golang/dep#291
[3]: containers/image#268
And zounds of other dependencies. Use Gopkg.toml's 'ignored' [1] to
exclude, BoltDB, which comes in via:
github.com/containers/image/pkg/blobinfocache
github.com/boltdb/bolt
and github.com/docker/distribution/registry/storage/cache, which comes
in via:
github.com/containers/image/docker
github.com/docker/distribution/registry/client
github.com/docker/distribution/registry/storage/cache
because we don't use either the storage backend or the BoltDB
blob-info cache, but dep isn't checking at that level of granularity.
Ideally the upstream repositories would restructure to split these out
into separate packages (and/or dep will grow support for pruning by
build tag [2]), but until then, we can manually prune via 'ignored'.
Also ignore mtrmac/gpgme, because we only need signature verification
and we don't want to use CGO (because we want to be portable to other
operating systems, and we only need verification support, not signing
support [3]).
There may be more fat we can prune as well, but I got tired of looking
and gave up, even though ~50k lines of new code is pretty embarassing
for what is effectively just a handful of HTTPS requests and an
OpenPGP check.
Generated (after manually editing Gopkg.toml) with:
$ dep ensure
using:
$ dep version
dep:
version : v0.5.0-31-g73b3afe
build date : 2019-02-08
git hash : 73b3afe
go version : go1.10.3
go compiler : gc
platform : linux/amd64
features : ImportDuringSolve=false
[1]: https://golang.github.io/dep/docs/Gopkg.toml.html#ignored
[2]: golang/dep#291
[3]: containers/image#268
|
@hferentschik @mtrmac @vrothberg I believe this is fixed, Closing. Reopen if I am mistaken. |
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The version we use expects Linux-specific struct stat; per containers/image#268 (comment) the update fixes this. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This library only compiles on Linux, since it uses C extensions which won't compile on OS X and Windows. This makes it for example hard/impossible to use image as a library for a cross compiled CLI applications.
Could one not use Go's golang.org/x/crypto/openpgp?
For now I removed github.com/mtrmac/gpgme and commented its use out from mechanism.go. If there is no way to make without C extensions, one can maybe only build them for Linux, whereas for OS X and Windows it particular feature would not be available (not 100% for what it is actually used).
The text was updated successfully, but these errors were encountered: