Re: [RFC] Go (golang) packaging

To: Reinhard Tartler <siretart@gmail.com>, debian-devel@lists.debian.org
Subject: Re: [RFC] Go (golang) packaging
From: Michael Stapelberg <stapelberg@debian.org>
Date: Thu, 03 Jan 2013 12:20:55 +0100
Message-id: <[🔎] x6r4m2ldgo.fsf@midna.zekjur.net>
In-reply-to: <[🔎] CAJ0cceZZYy2QcsFKO4uu5B4zm+uz3r7Ou0PAWH==DZ5aBe4kKA@mail.gmail.com>
References: <[🔎] x68v8dow53.fsf@midna.zekjur.net> <[🔎] CAKTje6H1ijosmhd1O23oU9QVhV_jjp3ocVoBXJDWXXfqsk1JaA@mail.gmail.com> <[🔎] x6fw2kop7h.fsf@midna.zekjur.net> <[🔎] CAKTje6G3V1NCPyKnZt7By=SyDcn_qh-kwnbSvEenJKKHMUCoVA@mail.gmail.com> <[🔎] CAJusiZWXPPfHZLNvecEFh0yiy8sMnSJTVQ8g1B+Dd-=0EYS4Og@mail.gmail.com> <[🔎] x64nj0ngow.fsf@midna.zekjur.net> <[🔎] 20130102120546.GA31352@gaara.hadrons.org> <[🔎] 20130102212637.GA18077@grep.be> <[🔎] CAJ0cceZZYy2QcsFKO4uu5B4zm+uz3r7Ou0PAWH==DZ5aBe4kKA@mail.gmail.com>

Hi Reinhard,

Reinhard Tartler <siretart@gmail.com> writes:
> Consider this from the application perspective: Say an application
> links against a library libfoo.a. At some point, libfoo decides to
> include compression support, and requires functionality from libz. No
> problem for the library package maintainer; he just adds a
> build-dependency  on libz-dev, and uploads the package. At some point
> the security team needs to update the application and finds the
> package to FTBFS because libz is missing. The solution, of course, is
> now to extend the build-dependencies of the application package.
> However, this is not obvious and in any case more effort than a
> binNMU.
Thanks for your example. It occurs to me that the following way deals
with the problem:

The hypothetical “foo” package is packaged as “golang-foo-dev”.
The hypothetical application is packaged as “barapp”, which
Build-Depends on “golang-foo-dev”.

When golang-foo-dev starts depending on additional libraries, say
“golang-zlib-dev”, it not only adds that library to its Build-Depends,
but also to its Depends. This is okay because you cannot use
“golang-foo-dev” without having “golang-zlib-dev” installed (as you
explained), and normal users don’t get an unnecessary dependency because
“barapp” doesn’t Depend (only Build-Depends) on either of these
libraries anyway.

I hope my explanation was clear, the tl;dr is “static golang libraries
should mirror Build-Depends into Depends”. What do you think?

-- 
Best regards,
Michael

Reply to:

References:
- [RFC] Go (golang) packaging
  - From: Michael Stapelberg <michael+debian@stapelberg.de>
- Re: [RFC] Go (golang) packaging
  - From: Paul Wise <pabs@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Michael Stapelberg <stapelberg@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Paul Wise <pabs@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Shawn <shawnlandden@gmail.com>
- Re: [RFC] Go (golang) packaging
  - From: Michael Stapelberg <stapelberg@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Guillem Jover <guillem@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Wouter Verhelst <wouter@debian.org>
- Re: [RFC] Go (golang) packaging
  - From: Reinhard Tartler <siretart@gmail.com>

Prev by Date: Re: [RFC] Go (golang) packaging
Next by Date: Re: [RFC] Go (golang) packaging
Previous by thread: Re: [RFC] Go (golang) packaging
Next by thread: Re: [RFC] Go (golang) packaging
Index(es):
- Date
- Thread