Re: [RFC] Go (golang) packaging
On Wed, Jan 2, 2013 at 10:26 PM, Wouter Verhelst <firstname.lastname@example.org> wrote:
> On Wed, Jan 02, 2013 at 01:05:46PM +0100, Guillem Jover wrote:
>> - Private dependencies, as they leak to rdeps. When a library uses
>> another library privately this dependency gets linked in directly
>> in all other rdeps, when that library stop depending on that
>> private dependency, all rdeps need to be rebuilt.
> Strictly speaking, if you're only using static libraries this is not
> really true; once you've compiled something against a static library,
> the static library might change in whatever way it sees fit, the
> compiled binary will continue to work, with or without recompilation.
Consider this from the application perspective: Say an application
links against a library libfoo.a. At some point, libfoo decides to
include compression support, and requires functionality from libz. No
problem for the library package maintainer; he just adds a
build-dependency on libz-dev, and uploads the package. At some point
the security team needs to update the application and finds the
package to FTBFS because libz is missing. The solution, of course, is
now to extend the build-dependencies of the application package.
However, this is not obvious and in any case more effort than a
> This isn't true if you're using a mix of shared and static libraries, of
mixing shared and static libraries makes the situation no less
complicated, that's true.