Re: [RFC] Go (golang) packaging
* Wouter Verhelst:
> Strictly speaking, if you're only using static libraries this is not
> really true; once you've compiled something against a static library,
> the static library might change in whatever way it sees fit, the
> compiled binary will continue to work, with or without recompilation.
My main worry is that, for example, a fix in another, otherwise
unrelated dependency prompts a rebuild, and this picks up behavioral
changes which haven't been visible before, but lingering in the static
library. Essentially, we end up with non-reproducible builds.
The way we currently do QA, it is important that we do not release
many packages with statically linked copies of outdated libraries. We
wouldn't have much chance spotting the impact of such lingering
changes once they are materializing. Non-reproducible builds are also
a software freedom issue (practically speaking).