All, we have digressed a bit, so I want to bring the discussion back to what my main concerns are about this issue.
1. Should we bundle Go packages with Go software? If we do, except for the Go standard library which is part of dev-lang/go, do we need to bother with installing Go sources and packages at all? The down side of the whole bundling idea is that every consumer on someone's system could potentially have a different version of the Go package, which doesn't lend itself well to security concerns. This is why bundling is generally discouraged in Gentoo. Also, if we bundle, most of dev-go/* doesn't need to exist because these libraries would be bundled into and statically linked into the software that needs them. 2. How should we bundle? This is where my concern about consul and some other ebuilds comes in. The way the consul ebuild is written (putting the commit hashes of dependencies in SRC_URI) assumes that all of the dependencies will stay on github. This makes the ebuild far less flexable than go itself is. If we are going to bundle, I would rather have one tarball that includes all of the sources for consul and the dependent libraries dropped on the Gentoo mirrors. Such a tarball is very easy to create. Thoughts? William
signature.asc
Description: Digital signature
