Hello Didier, I agree with you about the snapd, juju, ubuntu-report (first I've heard of this one), not de-vendoring their code. I understand they were given some exemptions because they wanted identical code across all the supported distributions they use.
However, other distributions also want to reduce the amount of vendored code in their packages. (It's not just us that are finding Go an uneasy fit into our support model.) I'm also very concerned about dependencies breaking APIs regularly. This is tolerable over nine months but is painful over five or ten years. I realize that authors are being asked to bear the brunt of the cost of de-vendoring but will see limited benefits over the next ten years. The security team will see great benefits over the next ten years but does not pay the upfront cost. I don't have perfect solutions to this. I do believe that there are long term benefits to everyone for devendoring Go: - We can focus on providing stable APIs (and hopefully, eventually, ABIs, to eliminate rebuilding) - We can focus on providing security fixes across multiple concurrently supported versions rather than trying to support whatever was in git on a random date - There's less need to copy-and-paste security fixes and bug fixes and features - Because each project would standardize on a given version in a series, there's less backporting when fixes are needed: rather than having eg four versions in a series, for six series, there's just six versions, one per series - The autopackage tests from every project will probably have better code coverage, branch coverage, etc, of dependencies than any one project could (This isn't restricted to just Go and Rust of course: a recent CVE in C code affects 19 source packages because of vendoring. It realistically should have affected just two. While an aberration in our C packages, this is standard operating procedure with Go.) I firmly believe that devendoring is a crucial part of keeping our technical debt reasonable. Putting in the work to reduce code duplication up front will pay dividends over time that benefit everybody. You're right that the benefits also accrue more quickly when everyone participates. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839271 Title: [MIR] zsys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zsys/+bug/1839271/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
