Re: Fedora planning to stop doing source-only Go packages and vendor everything

[Otto Kekäläinen <otto@debian.org>]

> To me the vendoring approach Fedora is going for feels wrong, but I can
> understand they aren't happy with the current situation.

It feels wrong to me as well, but seems Fedora decided to "give in"
instead of educating Go developers to reign in on the dependency
sprawl. This is a very telling quote from the page I linked:

"...a simple package like doctl (a CLI app to manage DigitalOcean
resources) had 122 dependencies listed in the go.mod file, but
requires 752 packages to be installed to build it, where 629 of them
are golang-*-devel source-only packages"

That package https://github.com/digitalocean/doctl/blob/main/go.mod
has dependencies like github.com/pkg/errors, instead of using built-in
Go 1.13+ errors.* functions, and it has github.com/google/uuid instead
of built-in crypto/rand, and it uses github.com/mattn/go-isatty just
to check it the terminal is interactive or not.

The NodeJS ecosystem had its moment 10 years ago with
https://www.theregister.com/2016/03/23/npm_left_pad_chaos/ and now
there are a bunch of guides like
https://github.com/ishtms/learn-nodejs-hard-way teaching people how to
build apps without using an external dependency for everything. The Go
ecosystem hasn't had this moment yet, but it is bound to come. We can
do our part in Debian by educating our upstreams and filing requests
upstream to cut down on the number of excessive dependencies.