On Tue, Oct 01, 2019 at 01:33:34PM +0200, Bjoern Walk wrote: > Daniel P. Berrangé <berrange@xxxxxxxxxx> [2019-09-27, 01:52PM +0100]: > > +package main > > + > > +import ( > > + "flag" > > + "fmt" > > + "github.com/spf13/pflag" > > I don't like external dependencies like this at all. Not from a > administrative POV (there are likely a number of build environments, > including ours, that want to build libvirt offline) and not from a > security POV (this reminds me of the npm-debacles we see every now and > then). This is an inaccurate view of Go build/dependancies. Nothing prevents you building Go code offline. This is exactly what Fedora does for all Go code. By default the Go toolchain will pull from the upstream directly, but you can tell it to use locally packaged source, or can pre-populate a cache of downloaded content. As for external dependencies in general, libvirt.so already links to 60+ libraries right now. Using external dependancies is a good thing because you are not re-inventing the wheel constantly, instead picking a solution that is already robust & tested. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list