[Fedora-packaging] Go Packaging Guidelines: What's next?

Adam Miller maxamillion at fedoraproject.org
Wed Apr 29 16:59:43 UTC 2015 

On Wed, Apr 29, 2015 at 11:50 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> On Wed, Apr 29, 2015 at 11:38:59AM -0500, Adam Miller wrote:
>> Hello all,
>>     I've noticed that the Go (golang) Packaging Guidelines Draft[0]
>> document has been stagnant for a while now and I'm curious what the
>> next steps should be? Does this need to go through FESCo?
>
> It shouldn't need to go through FESCo. See
> https://fedorahosted.org/fpc/ticket/382 for current state.
>
>>     Also, since Go is statically compiled by default is this something
>> we need to get an exception from FESCo similar to OCaml[1]?
>
> That's covered in the draft.

Yup, I totally missed that. Apologies.

>
>>     If there were to be some sort of approval for these bundled
>> libraries, should there be a defined specification of which Go
>> dependency managers are supported for sake of security response so
>> that we can check for packages that need rebuilding when a
>> vulnerability is found? What kind of changes would be necessary for
>> build tooling there? (Maybe something in this area I'm not thinking
>> of?)
>
> Now, the bundling issue is an exciting kettle of worms — although the
> problem of tons of unpackaged deps is not really that different from
> Ruby or even Python or Perl. I think it's fair to say that the _idea_
> of the current approach -- first package to require it generally needs
> to do the work of getting the dependencies in too -- is geared towards
> an eventual benefit to the _next_ packages, which will then find there
> deps already nicely available. (Pain now, but globally reduced pain
> later.)
>

That's fair I suppose, I just think that the scenario is slightly
different because it's build time vs runtime deps for Go vs
Python/Ruby/Perl. At runtime that giant dep list disappears. Maybe I'm
over thinking this but it does seem different to me. However, I agree
that if we can deal with some pain upfront and have less later then
all the better. Just from a ground zero standpoint it seems like a lot
of churn.

Thanks for the quick reply, I'll follow along in the fpc trac ticket
from now on.

-AdamM

> --
> Matthew Miller
> <mattdm at fedoraproject.org>
> Fedora Project Leader
> --
> packaging mailing list
> packaging at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/packaging

More information about the packaging mailing list