Go packaging guidelines?

Matthew Miller mattdm at fedoraproject.org
Tue Jan 14 19:18:11 UTC 2014

On Tue, Jan 14, 2014 at 12:06:09PM +0100, Florian Weimer wrote:
> A couple of questions and comments.  I think overall, the approach works.
> # Packaging Libraries
> This does not mention libraries which use cgo.  Should they be
> handled the same way?  What about additional C wrappers?

I think for now, yes. Unless you have a better suggestion.

> # Security in Go Language Packages
> The repoquery invocations for checking for affected programs are
> incorrect because the archive may have evolved from the time the
> binary Go program has been built and no longer reflect those
> dependencies.  The non-stripped nature of binaries should make it
> possible to see, based on the binaries alone, which libraries were
> used to compile it.

Hmmm, okay. Would it be useful to have a script that generates a list

> On the other hand, I wonder if we should rebuild all dependent
> binary Go programs each time any of the libraries used to build it
> change.  This ensure that we ship matching source code for the
> compiled binary, and it causes any breakage sooner.

I'm worried that that would cause a lot of needless churn. But maybe it's
for the best.

Matthew Miller    --   Fedora Project    --    <mattdm at fedoraproject.org>

More information about the devel mailing list