[openstack-dev] [tc] supporting Go

Clint Byrum clint at fewbar.com
Tue May 10 17:35:39 UTC 2016

Excerpts from Rayson Ho's message of 2016-05-10 07:19:23 -0700:
> On Tue, May 10, 2016 at 2:42 AM, Tim Bell <Tim.Bell at cern.ch> wrote:
> > I hope that the packaging technologies are considered as part of the TC
> evaluation of a new language. While many alternative approaches are
> available, a language which could not be packaged into RPM or DEB would be
> an additional burden for distro builders and deployers.
> >
> I mentioned in earlier replies but I may as well mention it again: a
> package manager gives you no advantage in a language toolchain like Go (or
> Rust). In fact, when you code is written in Go, you will be spared from
> dependency hell.

Package managers don't just resolve dependencies. You may have forgotten
the days _before_ apt-get where they just _expressed_ dependencies, but
it was up to you to find and download and install them all together.

There is also integration. Having an init script or systemd unit that
expresses when it makes sense to start this service is quite useful.

Source packages assist users in repeating the build the way the binary
they're using was built. If you do need to patch, patching the version
you're using, with the flags it used, means less entropy to deal with.
The alternative is going full upstream, which is great, and should be
done for anything you intend to have a deep relationship, but may not be
appropriate in every case.

Finally, the chain of trust is huge. Knowing that the binary in that
package is the one that was built by developers who understand your OS
is something we take for granted every time we 'yum install' or 'apt-get
install'. Of course, a go binary distributor can make detached pgp
signatures of their binaries, or try to claim their server is secured
and https is enough. But that puts the onus on the user to figure out
how to verify, or places trust in the global PKI, which is usually fine
(and definitely better than nothing at all!) but far inferior to the
signed metadata/binary approach distros use.

> And, while not the official way to install Go, the Go toolchain can be
> packaged and in fact it is in Ubuntu 16.04 LTS:
> https://launchpad.net/ubuntu/xenial/+source/golang-1.6
> IMO, the best use case of not using a package manager is when deploying
> into containers -- would you prefer to just drop a static binary of your Go
> code, or you would rather install "apt-get" into a container image, and
> then install the language runtime via apt-get, and finally your
> application?? I don't know about you, but many startup companies like Go as
> it would give them much faster time to react.
> Lastly, I would encourage anyone who has never even used Go to at least
> download the Go toolchain and install it in your home directory (or if you
> are committed enough, system wide), and then compile a few hello world
> programs and see what Go gives you. Go won't give you everything, but I am
> a "pick the right tool for the right job" guy and I am pretty happy about
> Go.

Go's fine. But so is Python. I think the debate here is whether Go has
enough strengths vs. Python to warrant endorsement by OpenStack.

More information about the OpenStack-dev mailing list