Open jfkw opened 6 months ago
Following discussion, we will continue with the spelling bundled(golang(EXPR))
to keep aligned with Fedora. Our spelling of EXPR
will be a valid Go module name and version number, which may or may not be the case with Fedora and other distros.
golang-packaging exposes a script called by the RPM auto provides system to generate
Provides: bundled(golang(EXPR))
for bundled Go dependency packages (i.e. Go library sources typically installed from Git). The script implementation should be updated to work with Go modules.The current implementation is designed to work with GOPATH and the corresponding populated source tree of dependency packages. The
go list
command is used to list dependency packages sources found under GOPATH. The packages installed under GOPATH did not carry their own usable version metadata. Version information was derived from the RPM packagingThe Go ecosystem now uses modules. As of go1.18+ go build embeds dependency package version metadata in the resulting binaries. This metadata is listed via the
go version -m
command.For accurate cross referencing with CVE checking tools, the spelling of the bundled Go module should be a valid a go module name and version number e.g.:
or
The contents of the dependency
EXPR
are necessarily going to change by virtue of the new Go module version number convention. If there are few or no current consumers of the obsolete and now rarely used old syntax, we might want to change the spelling from the currentbundled(golang(EXPR))
tobundled(go_modules(EXPR)
to accurately describe the provided item, and to align with Rust'sbundled(crate(EXPR))
.The new implementation can work without calling the
%go_provides
macro from the Go application package spec file. The macro was needed only to call the generating script with the SLE-11 version of RPM (EOL). The macro can be deprecated and eventually removed.