Hi Felix, On Wednesday, 21 October 2020 12:52:40 PM AEDT Felix Lechner wrote: > > We favour technical elegance often in expense of maintainers' comfort. > > Is our approach really either one of those? I think our response to > the vendoring explosion is at odds with the trends in many languages.
IMHO we are managing quite admirably. Basically, to me it looks like you don't want to maintain Kubernetes the way we maintain heavy Golang packages. You would have to learn to un-vendor many libraries. Yes, at first there will be a significant effort but then it will become easier. "Too many vendored libraries to use packaged libs" is a poor excuse. We have been dealing with "explosion" for years already. Tools like "dh-make- golang" are helpful to generate initial packaging for new Golang libraries in a semi-automatic manner. FTP-masters are usually quite effective with processing of NEW packages. Look how many packages we already have: https://qa.debian.org/developer.php?login=pkg-go-maintainers%40lists.alioth.debian.org+team%2Bpkg-go%40tracker.debian.org > It's time to retool. At the two ends of the solution spectrum, I see > > 1. Fully vendored source packages; or > 2. A packaging system that allows different vendor versions to > co-exist. Personally I'm not satisfied with either of those inferior proposals. Besides un-vendoring libraries can prevent some CVE issues as well. > Either one allows dependent sources to consume whichever versions they > require, but in my view solution (2) is otherwise superior---provided > that the packaging process is automated. (A language's build system > also has to distinguish the installed versions.) For each language so > affected, could we make (2) our goal, and allow (1) until then? IMHO tools have to come first (if ever). You are advocating for disruptive changes therefore your proposed theoretical solutions have to be available as a proof of concept for review. In the meantime you could follow the established practice that is demonstrated to be working on several packaged heavy Golang applications. If we tolerate full vendoring now, because "there is no better way" yet, then there will be no better way for sure. For now using packaged system libraries whenever possible is the best way. -- Kind regards, Dmitry Smirnov GPG key : 4096R/52B6BBD953968D1B --- Those who disdain wealth as a worthy goal for an individual or a society seem not to realize that wealth is the only thing that can prevent poverty. -- Thomas Sowell
signature.asc
Description: This is a digitally signed message part.
