On Wed, Apr 29, 2015 at 11:50 AM, Matthew Miller
<mattdm(a)fedoraproject.org> wrote:
On Wed, Apr 29, 2015 at 11:38:59AM -0500, Adam Miller wrote:
> Hello all,
> I've noticed that the Go (golang) Packaging Guidelines Draft[0]
> document has been stagnant for a while now and I'm curious what the
> next steps should be? Does this need to go through FESCo?
It shouldn't need to go through FESCo. See
https://fedorahosted.org/fpc/ticket/382 for current state.
> Also, since Go is statically compiled by default is this something
> we need to get an exception from FESCo similar to OCaml[1]?
That's covered in the draft.
Yup, I totally missed that. Apologies.
> If there were to be some sort of approval for these bundled
> libraries, should there be a defined specification of which Go
> dependency managers are supported for sake of security response so
> that we can check for packages that need rebuilding when a
> vulnerability is found? What kind of changes would be necessary for
> build tooling there? (Maybe something in this area I'm not thinking
> of?)
Now, the bundling issue is an exciting kettle of worms — although the
problem of tons of unpackaged deps is not really that different from
Ruby or even Python or Perl. I think it's fair to say that the _idea_
of the current approach -- first package to require it generally needs
to do the work of getting the dependencies in too -- is geared towards
an eventual benefit to the _next_ packages, which will then find there
deps already nicely available. (Pain now, but globally reduced pain
later.)
That's fair I suppose, I just think that the scenario is slightly
different because it's build time vs runtime deps for Go vs
Python/Ruby/Perl. At runtime that giant dep list disappears. Maybe I'm
over thinking this but it does seem different to me. However, I agree
that if we can deal with some pain upfront and have less later then
all the better. Just from a ground zero standpoint it seems like a lot
of churn.
Thanks for the quick reply, I'll follow along in the fpc trac ticket
from now on.
-AdamM
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader
--
packaging mailing list
packaging(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging