On Tuesday, 5 June 2018 6:08:50 PM AEST Ansgar Burchardt wrote: > Though I admit golang is a crappy language to support given one has to > rebuild everything all the time there is a security update. Just > imagine libc (or worse: linux) was written in Go and there was a > security update: just rebuild the distribution ;-) (And for third-party > providers wait for the vendored libc (or linux) to get updated, if that > will happen at all.) So I'm not surprised many Golang things don't make > it to testing. I'm with you. You are absolutely right. Static linking is part of the problem but Golang is terrible mostly because of abuse of decades of best practice in regards to versioning of private libraries. Golang community routinely vendor random commits of dependency libraries without reasonable attempts to use semantically versioned releases. Many libraries don't have any formal tags/releases and too many break interfaces all the time which contributes to fear of transitions so developers vendor more aggressively and resist upgrading dependencies. Just look at Kubernetes - a terribly (un-)maintained mess where some dependency libraries are not updated for years even when it is trivial. Golang community is still trying to figure out how to manage dependencies. There is some hope as lately more developers recognised importance of semantic versioning yet it'll be a long way before things stabilise... -- Regards, Dmitry Smirnov. --- The great enemy of the truth is very often not the lie -- deliberate, contrived and dishonest, but the myth, persistent, persuasive, and unrealistic. Belief in myths allows the comfort of opinion without the discomfort of thought. -- John F Kennedy
Description: This is a digitally signed message part.