On Wed, Apr 29, 2015 at 11:38:59AM -0500, Adam Miller wrote:
Hello all,
I've noticed that the Go (golang) Packaging Guidelines Draft[0]
document has been stagnant for a while now and I'm curious what the
next steps should be? Does this need to go through FESCo?
It shouldn't need to go through FESCo. See
https://fedorahosted.org/fpc/ticket/382 for current state.
Also, since Go is statically compiled by default is this
something
we need to get an exception from FESCo similar to OCaml[1]?
That's covered in the draft.
If there were to be some sort of approval for these bundled
libraries, should there be a defined specification of which Go
dependency managers are supported for sake of security response so
that we can check for packages that need rebuilding when a
vulnerability is found? What kind of changes would be necessary for
build tooling there? (Maybe something in this area I'm not thinking
of?)
Now, the bundling issue is an exciting kettle of worms — although the
problem of tons of unpackaged deps is not really that different from
Ruby or even Python or Perl. I think it's fair to say that the _idea_
of the current approach -- first package to require it generally needs
to do the work of getting the dependencies in too -- is geared towards
an eventual benefit to the _next_ packages, which will then find there
deps already nicely available. (Pain now, but globally reduced pain
later.)
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader