Line 48: | Line 48: | ||
= Security in Go Language Packages = | = Security in Go Language Packages = | ||
If there is a security issue in the standard Go library or in a library built into binary Go programs, all affected RPMs will need to be rebuilt.. | If there is a security issue in the standard Go library or in a library built into binary Go programs, all affected RPMs will need to be rebuilt. | ||
In the event that a security issue is found in a library, all packages which have that library as a BuildRequires must be identified and rebuilt with the version and release of the fixed library added to the BuildRequires. | |||
= Thanks = | = Thanks = |
Revision as of 16:52, 2 October 2013
Go Packaging Guidelines
Naming
Package Names
The package name idiom for the golang is that the import paths of libraries are fully qualified domain names. This way you have clarity to the precise upstream being used. We'll acknowledge this qualified path in the Provides, but also the package name should indicate the upstream project as much as possible. Truncating domain names and using '-' instead of '/'. For example, 'github.com/gorilla/context' would be 'golang-github-gorilla-mux' for the base RPM name. Similarly, the 'code.google.com/p/go.net' repository would be 'golang-googlecode-net' base RPM name.
Versions
Many Go libraries do not use package versions or have regular releases, and are instead maintained in public version control. In this case, follow the standard Fedora version conventions. This means that often Go packages will have a version number of "0" and a release number like "0.10.git27435c6".
Packaging Binaries
Some applications (like Docker) simply happen to be written in Go and are not meant to be developed against (they do not offer a Go language API). These should be named after the upstream project, and do not need a "golang" prefix or an import path added to the name.
== Debuginfo and Stripping Binaries
Fedora's debuginfo system currently does not work on Go binaries. Additionally, stripped binaries may cause crashes and are officially not supported. Therefore, do not strip binaries and use
%global debug_package %{nil}
Dependencies
BuildRequires:
Packaging Libraries
Go libraries packaged in Fedora are primarily for the purpose of building Fedora binary RPMs, and not meant to be developed against otherwise -- for that, we encourage the upstream "go get" idiom and a per-user $GOPATH. Specifically not to have a system wide GOPATH that users should inherit. This is to avoid custom workflows that developers are expected to learn, just to develop on this distribution. Also, by not landing source into GOROOT, the golang standard library stays pure and developers do not need to be concerned with library path conflicts, but instead can choose to include the system path in their per-user path (e.g. export GOPATH=$HOME/go:/usr/share/gocode). This way a call to go get ...
would land new source in the $HOME/go directory
The standard golang compiler only produces static libraries. There is little value in shipping these prebuilt, especially since these libraries are very specifically tied to the exact minor release of the golang compiler. Instead, each library package should consist of a -devel subpackage which installs .go source code to /usr/share/gocode/src, under the appropriate import path.
Binary packages which build against this source will set $GOPATH to /usr/share/gocode or better '%{_datadir}/gocode'
Dependencies
To match the fully qualified import paths of the projects and source, utilize the meta wrapper in the golang namespace to provide the import paths being packaged.
TODO: golang('github.com/gorilla/context') Requires:
Security in Go Language Packages
If there is a security issue in the standard Go library or in a library built into binary Go programs, all affected RPMs will need to be rebuilt.
In the event that a security issue is found in a library, all packages which have that library as a BuildRequires must be identified and rebuilt with the version and release of the fixed library added to the BuildRequires.
Thanks
These guidelines are Fedora-specific but are intended to match Debian practice where that is reasonable.
Discussion
See Talk:PackagingDrafts/Go for discussion.