Re: Tree-sitter maturity

[Daniel Colascione]

On December 27, 2024 10:31:52 AM EST, Eli Zaretskii <eliz@gnu.org> wrote:
>> Date: Fri, 27 Dec 2024 10:05:47 -0500
>> From: Daniel Colascione <dancol@dancol.org>
>> CC: emacs-devel@gnu.org, philipk@posteo.net, rms@gnu.org, manphiz@gmail.com
>> 
>> >> Why not just vendor all the grammars with the Emacs modes that use them?
>> >
>> >We'd need to ask their developers to agree to this. 
>> 
>> Why? They're free software. For copyright assignment? Seems like an 
>> exception would make sense here.
>
>AFAIK, that was the policy until now: we should have written agreement
>by authors to include any code in Emacs.  RMS might know more, because
>he asked for that.
>
>> > Other than that,
>> >I don't see how is that different from pointing to a specific version
>> >of each grammar: both will be outdated a short time after we point to
>> >the version or release Emacs with that version.
>> >
>> >So why do you think this is better?
>> 
>> Vendoring enables building a full featured Emacs without a network 
>> connection and guarantees build reproducibility in perpetuity.
>
>Is a network connection really a serious problem nowadays?

It's just another thing that can go wrong. And if, as discussed elsewhere on 
the thread, the network fetch is of HEAD rather than some specific commit with 
a known-good hash, that's a security issue. There's a reason many organizations 
ptohibit network access during builds or at least require that all fetched 
dependencies be hash-locked.