Re: Are circular dependencies problematic?

To: Richard Hansen <rhansen@rhansen.org>, debian-go@lists.debian.org
Subject: Re: Are circular dependencies problematic?
From: Arnaud Rebillout <arnaudr@debian.org>
Date: Wed, 4 Mar 2026 08:02:22 +0700
Message-id: <[🔎] adccee48-b32b-41e2-b78f-4610b7ed6feb@debian.org>
In-reply-to: <[🔎] 2be855ac-5b72-4278-afeb-4e187a856f6b@rhansen.org>
References: <[🔎] 2be855ac-5b72-4278-afeb-4e187a856f6b@rhansen.org>

On 03/03/2026 13:47, Richard Hansen wrote:

golang.org/x/net and golang.org/x/crypto require each other in theirgo.mod files, but I noticed that the golang-golang-x-crypto-dev Debianpackage contains a copy of the golang.org/x/net/idna Go package tobreak that dependency cycle:<https://salsa.debian.org/go-team/packages/golang-go.crypto/-/blob/debian/latest/debian/README.source>.

One issue with circular dependencies is when you want to update thepackages to newer version.

Like, you try to bump x/net, but find out it FTFBS because it needs amore recent x/crypto. So you try to update x/crypto first, but it FTBFSbecause it needs a more recent x/net. Now you're stuck, and untanglingthis might be tricky and _really_ time-consuming.

I learnt that the hard way with the docker stack years ago. I don't knowif it ever happened in practice with golang.org/x/{net,crypto}.

I'd think a little code vendoring can be better than a circulardependency. In this particular case, the maintainer of this packageknows best.


Cheers,

Arnaud

Reply to:

Follow-Ups:
- Re: Are circular dependencies problematic?
  - From: Andrew Lee <ajqlee@debian.org>

References:
- Are circular dependencies problematic?
  - From: Richard Hansen <rhansen@rhansen.org>

Prev by Date: Re: Are circular dependencies problematic?
Next by Date: Re: Are circular dependencies problematic?
Previous by thread: Re: Are circular dependencies problematic?
Next by thread: Re: Are circular dependencies problematic?
Index(es):
- Date
- Thread