Le 2020-02-26 09:50, Martin Sehnoutka a écrit :
Hi,
Hi,
Go package management: I know that Go has a package management now, but the question is if upstream communities are going to adopt it.
Upstream communities won’t have any choice if they want their software to be trusted by third parties, because all the upstream "free" security checking provided by Google in its own registry relies on the new component model.
Software security is hard. Security of huge piles of unmanaged third party bundled code is not economically feasible. That’s why Google moved to a formal component system, for the exact same reasons distros moved to formal packages 20+ years ago. (and it was all done in a NIH way Google side, they’re re-discovering all the packaging lessons distros learnt long ago one by one).
Thanks for this email thread I also had few discussions off-line and it seems to me that there is a certain shift in the way people want to distribute their software. More specifically I could see more people focus on shipping their software in containers and trying to avoid RPM completely.
You can see it because devs keep hoping for a free lunch. That does not exist in the real life. Real world software has maintenance and security issues. Managing those requires a finer grained component model than shoveling piles of unmanaged code in a container and hoping for the best.
Upstreams that do not make the effort to manage the third party code they rely on, condemn themselves to obscurity, or to revenue capture by third parties that *will* transform their code in something manageable (typically, by breaking it in components that can be audited). Typically, Amazon, Google, Red Hat, etc.
Regards, -- Nicolas Mailhot _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
