Re: Proposal for vendoring/bundling golang packages by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 1/20/25 1:02 AM, Mikel Olasagasti wrote:

Hi,

Go-SIG has raised a ticket with FESCo [1] to propose a significant
shift in Fedora's packaging approach for Go dependencies: moving to
vendoring/bundling by default. This would represent a major departure
from our current guidelines [2].

Given the potential impact, it was suggested that we bring this topic
to the devel-list for broader input and an open discussion.

The rationale for this proposal stems from the increasing challenges
in maintaining Go dependencies under the current model, including
issues with timely reviews, dependency management, and the impact of
some "core" orphaned packages. Allowing vendoring by default could
help alleviate these bottlenecks and improve the stability of Go-based
packages in Fedora.

If this proposal gains consensus, we could aim to implement the change
as part of Fedora 43, with the development phase used for migration
and retiring packages that may no longer fit within the updated
framework.

On a related note, I recently highlighted how the introduction of
Golang 1.24 has caused significant breakage in over 200 packages [3],
an issue that underscores the urgency of addressing these challenges.

We invite all Fedora contributors, maintainers, and stakeholders to
share their perspectives, concerns, and suggestions on this topic.

Best regards,
Mikel Olasagasti - mikelo2

[1] https://pagure.io/fesco/issue/3330
[2] https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/#_bundled_or_unbundled
[3] https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/AQRBENDKBYJLGX5DKQTSLNOI6W4HIHT3/


Thank you for raising this, Mikel!
For context: This discussion around vendoring has been happening on-and-off in the Go SIG for several years now. The latest push was catalyzed by maintainer changes that caused many packages to be orphaned, ongoing issues with FTBFS packages, and difficulties with updating packages—the Docker/Containerd stack in particular[0].
Seeing that the situation with Docker was unsustainable, I wrote a blog post ("Fedora Go Unbundling is Broken") [1] and started working on new tooling (go-vendor-tools) [2] to handle creating reproducible vendor archives and running license scanners for vendored Go packages. go-vendor-tools also has support to update individual dependencies for security purposes [3]. Ultimately, we were able to move the Docker packages over to the new tooling, onboard a new maintainer, and keep the current packages up to date, all while adding new Docker ecoystem packages that have been missing for years (docker-compose v2, docker-buildx) [4].
go-vendor-tools has been provisionally available in Fedora for about 10 months now and has been adopted by 25 packages. My goal is to create a stable release [5], onboard another maintainer (if you're interested, please reach out!) so the project's bus factor is > 1, and submit a Change Proposal to make this the default approach for new packages (instead of the current bundling is allowed with a "proper justification" [6]) in time for Fedora 43.
Given the nature of the upstream Go ecosystem and Go tooling, I think vendoring-by-default is the best approach at this point [1]. 

[0] https://pagure.io/GoSIG/go-sig/issue/43
[1] https://gtmx.me/blog/fedora-go-unbundling-is-broken/
[2] https://fedora.gitlab.io/sigs/go/go-vendor-tools/
[3] https://fedora.gitlab.io/sigs/go/go-vendor-tools/scenarios/#security-updates [4] https://lists.fedoraproject.org/archives/list/golang@xxxxxxxxxxxxxxxxxxxxxxx/thread/K5P6P2MGEE3SCPF4SZFWOIUGHQHJ6GGG/ 
[5] https://gitlab.com/fedora/sigs/go/go-vendor-tools/-/milestones/5
[6] https://gitlab.com/fedora/sigs/go/go2rpm#bundled-vendored-dependencies
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux