Re: What to do when DD considers policy to be optional? [kubernetes]
On Tue, 24 Mar 2020 10:14:08 +0000
Paul Wise <pabs@debian.org> wrote:
> On Tue, Mar 24, 2020 at 6:17 AM Vincent Bernat wrote:
>
> > Kubernetes is already using Go modules. They happen to have decided to
> > keep shipping a `vendor/` directory but this is not uncommon. It is
> > often considered as a protection against disappearing modules. So, there
> > is nothing to be done upstream. And BTW, there are currently 616
> > dependencies, pinned to a specific version.
>
> I wonder if the existence of Software Heritage could convince them
> disappearing modules aren't a problem, or if another service is
> needed.
I think this is a symptom of the tools being used. Using 'go vendor' is a
documented step in nearly all golang-based "release tutorials." Most never even
get as far as considering that maybe their source should have a version,
because the toolset mentality is "download latest at build time."
The 'go vendor' approach is especially bad within the Debian context because it
will download any/all modules that are referenced. In some cases, 'go get [..]'
can go from downloading a single repository to downloading 200+ because one (1)
extra dependency was added for one (1) extra feature that almost nobody will
ever use.
It's nearly guaranteed that at least a large handful of those will have no
license at all and at least one is going to have large embedded non-dfsg blobs.
Or, to summarize my rant...
These lazy young whipper snappers don't know what good source looks like!
.. back in my day, we coded on paper, had real bugs, and that's just the way we
liked it.
--
Michael Lustfield
Reply to: