OK, I've asked security about this, and the answer is that dh-golang is not a hard requirement from the security team. The fact is that pay- service is not installable via "go get" and there is no good reason to make it so (golang's build tools lack a significant amount of system integration support, or support for building libraries and tools which are not written in go). This seems like the same issue of whether one should be required to use setup.py to install all python code or not, and there is no such requirement for that. Enforcing a requirement as such for binaries written with go does not seem good here.
As for the bundled source code, there is also no hard requirement that code may not be bundled, and there is precedent for having bundled code in packages (many GNOME packages have historically bundled code for certain in-development widgets and APIs for example). So I don't think either of those two things should be a blocker for going into main here. Perhaps we can move away from bundled source in the future for many things, but I see no reason to force a project into a state where it is harder to maintain, in order to have the portion of code which is written in golang, to be installable with go get. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1614202 Title: [MIR] pay-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pay-service/+bug/1614202/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
