I've noticed that the Go (golang) Packaging Guidelines Draft
document has been stagnant for a while now and I'm curious what the
next steps should be? Does this need to go through FESCo?
Also, since Go is statically compiled by default is this something
we need to get an exception from FESCo similar to OCaml?
Another topic of note is bundled libraries. The upstream Go
community seems pretty content with just bundling in their
dependencies since it's all statically linked anyways (yes, you can
dynamically link with gcc-go but I've yet to find a single project out
in community space doing that).
For some popular Go projects the dependency list is over 100
deps and are managed with something similar to Godep, I'm not
sure how realistic it is for packagers to be expected to maintain that
many dependencies. This also begs the question that if we do require a
packager to maintain them, what happens if another project requires a
different version of that dep? (This is similar in nature to what I
like to call "ruby bundler hell").
If there were to be some sort of approval for these bundled
libraries, should there be a defined specification of which Go
dependency managers are supported for sake of security response so
that we can check for packages that need rebuilding when a
vulnerability is found? What kind of changes would be necessary for
build tooling there? (Maybe something in this area I'm not thinking
I wanted to at least get this conversation going because it
appears there's already a number of Go packages in Fedora at this time
without any approved standard and as the language continues to gain
popularity I can only assume that number will increase.
At the time of this writing, on my laptop running Rawhide:
$ dnf search golang | wc -l
 - https://fedoraproject.org/wiki/PackagingDrafts/Go
 - https://fedoraproject.org/wiki/Packaging:Guidelines#Programs_which_don.27...
 - https://github.com/openshift/origin/blob/master/Godeps/Godeps.json
 - https://github.com/tools/godep
I'm getting some strange behaviour at the moment on a machine running FC21
where it seems to be loading/updating (or trying to) packages that are FC22!
(This seems to happen every now & again in the last 4-5 releases of FC).
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-21
The GPG keys listed for the "RPM Fusion for Fedora 21 - Free" repository are already installed but they are not correct for this package.
Check that the correct key URLs are configured for this repository.
Failing package is: a52dec-0.7.4-19.fc22.x86_64
GPG Keys are configured as: file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-21