Hi Afif, On 02/11/18 05:39, Afif Elghraoui wrote:
> In the HPC team, we maintain the singularity-container package, which > was recently rewritten in Go. This is the first Go package I've ever > built, so I was hoping one of you would look it over to make sure it's > done properly. So I took a quick look at this. The main 2 things that catch my attention are the build system and the vendored dependencies. About the build system, I am not sure what are they trying to do here, but my suggestion would be to try to ignore it completely and use dh-golang, which would make your life simpler. You are doing some weird (to me) things in debian/rules, but all that goes away if you switch to a standard build. Then, the vendoring directory is a problem. This is standard in the golang world, and our biggest source of headache as maintainers. You have there a source copy of half the archive, with different versions and possible security vulns lurching. What we do is to remove first everything that is already packaged, then package as much as possible of the rest, and only leave vendored small unimportant libs, or libs that are part of the project and are too intertwined to split in a different package. THis is the part that might take 90% of your work. Feel free to pop in #debian-golang if you need help with anything. Good luck! :) -- Martín Ferrari (Tincho)
