<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, May 11, 2016 at 8:36 AM, Thomas Goirand <span dir="ltr"><<a href="mailto:zigo@debian.org" target="_blank">zigo@debian.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Pinning versions doesn't change the fact that you'll have to trust a<br>
large amount of providers, with some of the files stored in a single<br>
location on the Internet. Yes, you can add a cache, etc. but these are<br>
band-aids...</blockquote><div><br></div><div>If this were not a thread about Go, I'd swear you were talking about PyPI here...</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">With the huge difference that in the case of distros, you're trusting a<br>
single well known entity, with known QA and all, vs a very large number<br>
of 3rd party which you have absolutely no relationship with, and which<br>
you may not be able to get in touch with.</blockquote><div><br></div><div>But 'single location on the Internet' is a bad thing?</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In practice, you wont make any effort to make sure what you're<br>
downloading comes from trusted sources only: it's just too difficult for<br>
no rewards.</blockquote><div><br></div><div>And here is the real point, you (for every value of 'you', being me, zigo, jroll, everyone) are most likely to use the SAME principles and practices in development in all environments for the same purpose. I am just as meticulous in Go and Python and Perl for production use, and just as sloppy in all for one-off-hack use. Some tools make this easier, some make it harder (sometimes that's the same tool!)</div><div><br></div><div>Thomas, I understand why you believe that $language packaging systems are all evil. But they are a necessary evil because we have N OS packaging systems (think beyond Linux here, all of these languages do) to deal with. This is an extension of why OpenStack doesn't even try to include packaging in the main projects, and why tarballs are still a viable, and often preferred, method for upstream distribution.</div><div><br></div><div>The big difference with Go here is that the dependency work happens at build time, not deploy/runtime in most cases. That shifts much of the burden to people (theoretically) better suited to manage that work. Following the same basic principles with Go is just as possible as it is with Python, or C, or even Perl. They all require different details, but I believe working out those details is doable, even in a mostly-acceptable manner.</div><div><br></div><div>dt</div><div><br></div></div>-- <br><div class="gmail_signature"><br>Dean Troyer<br><a href="mailto:dtroyer@gmail.com" target="_blank">dtroyer@gmail.com</a><br></div>
</div></div>