At present it is our practice to "vendor" all dependencies for a Golang package. This has the advantage that everything is in one nice package and self contained but it has the disadvantage that dependencies are hidden and therefore security issues may slip through the cracks.

The idea is to investigate and create automation "go2rpm" that generates a spec file with the necessary "BuildRequires:" such that the dependencies can be broken into golang- packages and we get rid of the implicit dependency inclusion via "vendor". The potential problem is scale, with some golang applications having thousands of dependencies.

A second issue is that golang has strict version pinning. Meaning golang appliaction A may depend on golang-xyz 1.1 and golang application B may depend on golang-xyz 1.2. This means we have to have all dependencies available as packages. Further it must be easy to add a new version of a module to an existing package. The idea is to solve this problem using the _multibuild OBS feature

If all goes well this would radically change the way we package golang and a proposal would need to be discussed with the openSUSE community to change the golang packaging guidelines.

The advantages of this approach are automatic rebuilds on dependency changes. Tracking and visibility of security issues in dependencies. Which is especially important in Go as everything is built into a static binary.

Work will take place in https://build.opensuse.org/project/users/home:rjschwei:golang_novendor anyone interested send me you OBS user ID an I'll add you to the project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 19

Activity

  • 8 months ago: tbechtold liked Golan no vendor
  • 8 months ago: rjschwei started Golan no vendor
  • 8 months ago: rjschwei originated Golan no vendor

  • Comments

    Similar Projects

    This project is one of its kind!