[openstack-dev] [tc] supporting Go

Jim Rollenhagen jim at jimrollenhagen.com
Wed May 11 14:09:31 UTC 2016


On Wed, May 11, 2016 at 03:36:09PM +0200, Thomas Goirand wrote:
> On 05/11/2016 02:41 PM, Jim Rollenhagen wrote:
> >> Installing from $language manager instead of distro packages, be it in
> >> containers or not, will almost always make you download random blobs
> >> from the Internet, which are of course changing over time without any
> >> notice, loosing the above 3 important features.
> > 
> > Unless you pin the versions of your dependencies.
> 
> Pinning versions doesn't change the fact that you'll have to trust a
> large amount of providers, with some of the files stored in a single
> location on the Internet. Yes, you can add a cache, etc. but these are
> band-aids...

Well, if we're talking about python, it all comes from PyPI. For Go, the
recommendation is for everything to come from Github, but you can
choose other sources if you desire.

> > As for "random blobs from the internet changing over time without
> > notice", I think this is the same thing for distros.
> 
> With the huge difference that in the case of distros, you're trusting a
> single well known entity, with known QA and all, vs a very large number
> of 3rd party which you have absolutely no relationship with, and which
> you may not be able to get in touch with.

"large number" certainly depends on the application and the number of
dependencies, no? If one is willing to make this tradeoff, they should
choose their upstreams wisely.

> > On the
> > other side, you're trusting yourself to handle these things
> 
> In practice, you wont make any effort to make sure what you're
> downloading comes from trusted sources only: it's just too difficult for
> no rewards.

Again, you're making assumptions about people. I've observed teams that
are *very* diligent about these things. Note that I never said everyone
should manage their own deps instead of using distro packages, I said
that it is a valid option if one is willing to put in the work.

// jim

P.S. we're way off topic now, we should probably take this piece of the
thread elsewhere. My intention was to point out that some people prefer
not to use distro packages for their application and its dependencies,
and that's okay.



More information about the OpenStack-dev mailing list