[Fedora-packaging] Go Packaging Guidelines: What's next?
Adam Miller
maxamillion at fedoraproject.org
Wed Apr 29 16:38:59 UTC 2015
Hello all,
I've noticed that the Go (golang) Packaging Guidelines Draft[0]
document has been stagnant for a while now and I'm curious what the
next steps should be? Does this need to go through FESCo?
Also, since Go is statically compiled by default is this something
we need to get an exception from FESCo similar to OCaml[1]?
Another topic of note is bundled libraries. The upstream Go
community seems pretty content with just bundling in their
dependencies since it's all statically linked anyways (yes, you can
dynamically link with gcc-go but I've yet to find a single project out
in community space doing that).
For some popular Go projects the dependency list is over 100
deps[2] and are managed with something similar to Godep[3], I'm not
sure how realistic it is for packagers to be expected to maintain that
many dependencies. This also begs the question that if we do require a
packager to maintain them, what happens if another project requires a
different version of that dep? (This is similar in nature to what I
like to call "ruby bundler hell").
If there were to be some sort of approval for these bundled
libraries, should there be a defined specification of which Go
dependency managers are supported for sake of security response so
that we can check for packages that need rebuilding when a
vulnerability is found? What kind of changes would be necessary for
build tooling there? (Maybe something in this area I'm not thinking
of?)
I wanted to at least get this conversation going because it
appears there's already a number of Go packages in Fedora at this time
without any approved standard and as the language continues to gain
popularity I can only assume that number will increase.
At the time of this writing, on my laptop running Rawhide:
$ dnf search golang | wc -l
279
Thank you,
-AdamM
[0] - https://fedoraproject.org/wiki/PackagingDrafts/Go
[1] - https://fedoraproject.org/wiki/Packaging:Guidelines#Programs_which_don.27t_need_to_notify_FESCo
[2] - https://github.com/openshift/origin/blob/master/Godeps/Godeps.json
[3] - https://github.com/tools/godep
More information about the packaging
mailing list