[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rkt, Golang

On Tuesday, 5 June 2018 6:08:50 PM AEST Ansgar Burchardt wrote:
> Though I admit golang is a crappy language to support given one has to
> rebuild everything all the time there is a security update.  Just
> imagine libc (or worse: linux) was written in Go and there was a
> security update: just rebuild the distribution ;-) (And for third-party
> providers wait for the vendored libc (or linux) to get updated, if that
> will happen at all.)  So I'm not surprised many Golang things don't make
> it to testing.

I'm with you. You are absolutely right.

Static linking is part of the problem but Golang is terrible mostly because 
of abuse of decades of best practice in regards to versioning of private 
libraries. Golang community routinely vendor random commits of dependency 
libraries without reasonable attempts to use semantically versioned releases. 
Many libraries don't have any formal tags/releases and too many break 
interfaces all the time which contributes to fear of transitions so 
developers vendor more aggressively and resist upgrading dependencies. Just 
look at Kubernetes - a terribly (un-)maintained mess where some dependency 
libraries are not updated for years even when it is trivial.

Golang community is still trying to figure out how to manage dependencies.
There is some hope as lately more developers recognised importance of 
semantic versioning yet it'll be a long way before things stabilise...

 Dmitry Smirnov.


The great enemy of the truth is very often not the lie -- deliberate,
contrived and dishonest, but the myth, persistent, persuasive, and
unrealistic. Belief in myths allows the comfort of opinion without the
discomfort of thought.
        -- John F Kennedy

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: