Re: packages built with golang
Cousin Stanley wrote:
> Reading this newsgroup earlier today
> someone mentioned the hugo package
> for static site generation.
>
> I was curious about the package
> so I tried ....
>
> $ apt-cache show hugo
>
> The usual package information was returned
> along with, in my opinion, an unsightly mess
> entailing a long string of 88 entries
> naming individual golang packages
> following Built-Using:
>
> A simple message such as the following
> might be sufficient ....
>
> Built-Using: golang , golang libraries and packages
>
> I have seen this with a few packages other than hugo
> that were built using golang as well.
Oh, no.
An ordinary package is built with, say, glibc and openssl and a
couple of parsers. All of them are already in Debian, so they go
into the Depends categories. Each of them have their own
dependencies, but you mostly don't have to install them because
they are already on your system.
When a Go package is built, it probably has about the same
number of libraries that it depends on, but because Go is
static, all of them have to be linked in to the binary that gets
built and distributed.
Now, when there's a problem in libfoo=2.1 which allows anyone to
supply the password NSA31415926535 for authentication as root,
Debian has to issue libfoo=2.2 as a security update. Every
package that uses libfoo gets fixed at the same time. (Running
programs may need to be restarted.)
If the same problem is in go-foo, every package that was
Built-Using go-foo needs to be tracked down, rebuilt, and a
separate security update issued.
Not having Built-Using is just like not having dependencies.
-dsr-
Reply to: