[MacPorts] #61192: Lots of golang ports are downloading dependencies at build time
MacPorts
noreply at macports.org
Wed Sep 30 17:57:54 UTC 2020
#61192: Lots of golang ports are downloading dependencies at build time
-------------------------------------------------+-------------------------
Reporter: amake | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: annie aws-vault certigo chezmoi |
cloudmonkey copilot croc elvish evans fzf |
gitqlite glow go-migrate golangci-lint gore |
gotop grpcurl hugo ipfs istioctl jenkins-cli |
k9s krew kubergrunt kustomize micro mole |
newreleases pulumi rclone scw staticcheck |
syncthing tektoncd-cli terragrunt trivy uni |
up webify wtfutil yq |
-------------------------------------------------+-------------------------
Comment (by breun):
I should add: In the pre-go-module-system world, there was no danger of
dependencies being automatically downloaded, because all projects (as far
as I know) either committed their dependencies or used a third-party tool
like glide, et al. It's only recently that this has become a problem.
I must admit I do not completely understand what the problem exactly is. I
maintain a couple of Go ports, but I'm not very familiar with the Go
ecosystem. I am however very familiar with the Java ecosystem and the
Maven build tool specifically and I'm used to build tools downloading
dependencies at build time (when not previously downloaded and locally
cached). Maven uses Maven repositories to download dependencies, which
support hashes and signatures, etc. Is the problem that Go builds download
dependencies without any checks? If not, what is the problem exactly?
--
Ticket URL: <https://trac.macports.org/ticket/61192#comment:53>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list