Public bug reported: It is security and MIR team policy to ensure that statically built golang packages in main use archive packages for their golang dependencies rather than bundling them in.
When putting snappy into main for xenial (see bug 1548887), there was a lot of work to properly depend on archive packages. That work seems to have regressed and it now appears that the snapd package is bundling all dependencies in as vendor modules. It looks like this bundling started in 2.16 (Sep 2016). You can find some documentation on the policies: - http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README.built_using - https://wiki.ubuntu.com/MIRTeam - http://pkg-go.alioth.debian.org/packaging.html I'm guessing that the bundling was motivated by trusty support, which may not have the requisite archive packages in it? But we should have a discussion about the resulting policy breakage and what to do about it. I don't believe that discussion has happened yet. Besides the support issues, this also means that snapd trunk can't be built directly (e.g. in a PPA). ** Affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658181 Title: snapd bundles golang dependencies despite being in main To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1658181/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
