On Wed, Apr 29, 2015 at 11:38:59AM -0500, Adam Miller wrote: > Hello all, > I've noticed that the Go (golang) Packaging Guidelines Draft[0] > document has been stagnant for a while now and I'm curious what the > next steps should be? Does this need to go through FESCo? It shouldn't need to go through FESCo. See https://fedorahosted.org/fpc/ticket/382 for current state. > Also, since Go is statically compiled by default is this something > we need to get an exception from FESCo similar to OCaml[1]? That's covered in the draft. > If there were to be some sort of approval for these bundled > libraries, should there be a defined specification of which Go > dependency managers are supported for sake of security response so > that we can check for packages that need rebuilding when a > vulnerability is found? What kind of changes would be necessary for > build tooling there? (Maybe something in this area I'm not thinking > of?) Now, the bundling issue is an exciting kettle of worms — although the problem of tons of unpackaged deps is not really that different from Ruby or even Python or Perl. I think it's fair to say that the _idea_ of the current approach -- first package to require it generally needs to do the work of getting the dependencies in too -- is geared towards an eventual benefit to the _next_ packages, which will then find there deps already nicely available. (Pain now, but globally reduced pain later.) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
