Re: [libvirt] [PATCH v2 2/6] tools: introduce a data driven impl of virt-host-validate
On Tue, Oct 01, 2019 at 01:33:34PM +0200, Bjoern Walk wrote:
Daniel P. Berrangé <berrange(a)redhat.com> [2019-09-27, 01:52PM
+0100]:
> +package main
> +
> +import (
> + "flag"
> + "fmt"
> + "github.com/spf13/pflag"
I don't like external dependencies like this at all. Not from a
administrative POV (there are likely a number of build environments,
including ours, that want to build libvirt offline) and not from a
security POV (this reminds me of the npm-debacles we see every now and
then).
This is an inaccurate view of Go build/dependancies.
Nothing prevents you building Go code offline. This is exactly what
Fedora does for all Go code. By default the Go toolchain will pull
from the upstream directly, but you can tell it to use locally
packaged source, or can pre-populate a cache of downloaded content.
As for external dependencies in general, libvirt.so already links to
60+ libraries right now. Using external dependancies is a good thing
because you are not re-inventing the wheel constantly, instead picking
a solution that is already robust & tested.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|