On Thu, Jul 20, 2023 at 8:22 PM Carlos Rodriguez Fernandez <carlosrodrifernan...@gmail.com> wrote: > > Hi all, > > I am interested in packaging some golang programs for Fedora (and EPEL), and > I read through the guidelines: > https://docs.fedoraproject.org/en-US/packaging-guidelines/Golang/ > > My question is more about the reasoning for the recommended handling of > dependencies. > > Other language platforms have shared runtime objects, and devel packages > provide the interface to link to them when necessary; however golang compiles > it all statically. It is very easy to bring all the dependencies locally for > compilation directly from git repos and then nothing is necessary at runtime. > > Creating rpm packages for each golang dependency seems counterproductive as > it adds an additional burden to maintain without the benefits of shared > runtime objects. > > I have the feeling I am missing something. What is the benefit of having each > golang build dependency as rpms? > Is it a requirement for golang programs rpm contributions or it is optional? > (e.g. prometheus in EPEL9 does not follow the deps handling guidelines but > not sure if it is a tech debt or an option).
There are different trade-offs to both approaches (packaging dependencies separately vs. bundling them where they are needed, i.e. "vendoring"). The "vendoring" approach is technically allowed in Fedora, but definitely not the preferred option. For example, when things are packaged, you need to verify that dependencies fulfil certain technical and legal requirements. When you package dependencies individually, that burden is shared between all packagers who need these libraries. When using the "vendored" approach, that burden basically falls on every single maintainer, leading to duplicated effort. Additionally, it is usually good to run test suites of projects (applications *and* libraries) when packaging them for Fedora. This is not possible when using "vendored" dependencies, but easy when packaging things separately. Having libraries packaged independently also makes certain other tasks easier, for example, applying a patch for a security update (in *one* place!) and then rebuilding affected packages. Applying security fixes to packages that vendor their dependencies is much more cumbersome, and also needs to happen separately in every affected application. I'm sure I forgot some points (both in favor or against both approaches), but that's the "elevator pitch" I can give you quickly. :) Fabio _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
