> To me the vendoring approach Fedora is going for feels wrong, but I can > understand they aren't happy with the current situation.
It feels wrong to me as well, but seems Fedora decided to "give in" instead of educating Go developers to reign in on the dependency sprawl. This is a very telling quote from the page I linked: "...a simple package like doctl (a CLI app to manage DigitalOcean resources) had 122 dependencies listed in the go.mod file, but requires 752 packages to be installed to build it, where 629 of them are golang-*-devel source-only packages" That package https://github.com/digitalocean/doctl/blob/main/go.mod has dependencies like github.com/pkg/errors, instead of using built-in Go 1.13+ errors.* functions, and it has github.com/google/uuid instead of built-in crypto/rand, and it uses github.com/mattn/go-isatty just to check it the terminal is interactive or not. The NodeJS ecosystem had its moment 10 years ago with https://www.theregister.com/2016/03/23/npm_left_pad_chaos/ and now there are a bunch of guides like https://github.com/ishtms/learn-nodejs-hard-way teaching people how to build apps without using an external dependency for everything. The Go ecosystem hasn't had this moment yet, but it is bound to come. We can do our part in Debian by educating our upstreams and filing requests upstream to cut down on the number of excessive dependencies.
