[Fedora-packaging] Go Packaging Guidelines: What's next?
Matthew Miller
mattdm at fedoraproject.org
Wed Apr 29 16:50:41 UTC 2015
On Wed, Apr 29, 2015 at 11:38:59AM -0500, Adam Miller wrote:
> Hello all,
> I've noticed that the Go (golang) Packaging Guidelines Draft[0]
> document has been stagnant for a while now and I'm curious what the
> next steps should be? Does this need to go through FESCo?
It shouldn't need to go through FESCo. See
https://fedorahosted.org/fpc/ticket/382 for current state.
> Also, since Go is statically compiled by default is this something
> we need to get an exception from FESCo similar to OCaml[1]?
That's covered in the draft.
> If there were to be some sort of approval for these bundled
> libraries, should there be a defined specification of which Go
> dependency managers are supported for sake of security response so
> that we can check for packages that need rebuilding when a
> vulnerability is found? What kind of changes would be necessary for
> build tooling there? (Maybe something in this area I'm not thinking
> of?)
Now, the bundling issue is an exciting kettle of worms — although the
problem of tons of unpackaged deps is not really that different from
Ruby or even Python or Perl. I think it's fair to say that the _idea_
of the current approach -- first package to require it generally needs
to do the work of getting the dependencies in too -- is geared towards
an eventual benefit to the _next_ packages, which will then find there
deps already nicely available. (Pain now, but globally reduced pain
later.)
--
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader
More information about the packaging
mailing list