On Tue, 24 Mar 2020 10:14:08 +0000 Paul Wise <p...@debian.org> wrote:
> On Tue, Mar 24, 2020 at 6:17 AM Vincent Bernat wrote: > > > Kubernetes is already using Go modules. They happen to have decided to > > keep shipping a `vendor/` directory but this is not uncommon. It is > > often considered as a protection against disappearing modules. So, there > > is nothing to be done upstream. And BTW, there are currently 616 > > dependencies, pinned to a specific version. > > I wonder if the existence of Software Heritage could convince them > disappearing modules aren't a problem, or if another service is > needed. I think this is a symptom of the tools being used. Using 'go vendor' is a documented step in nearly all golang-based "release tutorials." Most never even get as far as considering that maybe their source should have a version, because the toolset mentality is "download latest at build time." The 'go vendor' approach is especially bad within the Debian context because it will download any/all modules that are referenced. In some cases, 'go get [..]' can go from downloading a single repository to downloading 200+ because one (1) extra dependency was added for one (1) extra feature that almost nobody will ever use. It's nearly guaranteed that at least a large handful of those will have no license at all and at least one is going to have large embedded non-dfsg blobs. Or, to summarize my rant... These lazy young whipper snappers don't know what good source looks like! .. back in my day, we coded on paper, had real bugs, and that's just the way we liked it. -- Michael Lustfield
