On 15/03/18 09:22, Arnaud Rebillout wrote: > So I made a beginner mistake, but I'm learning, and hopefully I'm on the > right track !
Don't worry, we've all been there.. the go ecosystem is a mess. > I don't know what's the best way to deal with this situation, so if > anyone from the team can provide some advice, that would be super welcome ! I sometimes have kept small dependencies vendored in for convenience.. But keeping the whole containerd seems wrong to me. Specially considering that it is something that can have security implications. Vendoring means nobody knows that version is there, so no audits; and the problem of patching separate copies, with different versions, when there is some patch to urgently apply.. In an ideal world, we should try to convince the docker people to use stable APIs (that means using only released non-alpha versions!), or at least to fix the incompatibilities with 1.0.2. I think it is at least worth a try. The other way, which we have done many times, is to patch the software ourselves. I have no idea why docker does not build with that version, but sometimes it is not that difficult to fix. my 2¢ -- Martín Ferrari (Tincho) _______________________________________________ Pkg-go-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
