On Tuesday, 5 June 2018 6:08:50 PM AEST Ansgar Burchardt wrote:
> Though I admit golang is a crappy language to support given one has to
> rebuild everything all the time there is a security update. Just
> imagine libc (or worse: linux) was written in Go and there was a
> security update: just rebuild the distribution ;-) (And for third-party
> providers wait for the vendored libc (or linux) to get updated, if that
> will happen at all.) So I'm not surprised many Golang things don't make
> it to testing.
I'm with you. You are absolutely right.
Static linking is part of the problem but Golang is terrible mostly because
of abuse of decades of best practice in regards to versioning of private
libraries. Golang community routinely vendor random commits of dependency
libraries without reasonable attempts to use semantically versioned releases.
Many libraries don't have any formal tags/releases and too many break
interfaces all the time which contributes to fear of transitions so
developers vendor more aggressively and resist upgrading dependencies. Just
look at Kubernetes - a terribly (un-)maintained mess where some dependency
libraries are not updated for years even when it is trivial.
Golang community is still trying to figure out how to manage dependencies.
There is some hope as lately more developers recognised importance of
semantic versioning yet it'll be a long way before things stabilise...
--
Regards,
Dmitry Smirnov.
---
The great enemy of the truth is very often not the lie -- deliberate,
contrived and dishonest, but the myth, persistent, persuasive, and
unrealistic. Belief in myths allows the comfort of opinion without the
discomfort of thought.
-- John F Kennedy
Attachment:
signature.asc
Description: This is a digitally signed message part.