Comment 120 for bug 1267393

Jamie Strandboge (jdstrand) wrote :

@doko
"I'm still sceptical about how to track third party libaries, i.e. if
they are included as a dependency, or built form the vendorized
copies. dh-golang tries to do that, and sets the "Built-Using"
attribute for the binary packages. If juju-core doesn't want, or cannot use dh-golang, that should be done directly in the packaging. Is this a solved problem how to select which copy to use, or does this still need investigation?"

The security team has a mechanism for tracking embedded copies and while I would've preferred to see many of the embedded copies moved out to golang-*-dev packages, for 15.10 the security team agreed to the juju team updating juju to use the golang-*-dev packages that currently exist in the archive. I'll be filing a separate bug for 16.04 to pull out the others. Furthermore, We have developed in response to this MIR a process and tooling for tracking Built-Using. The upcoming https://code.launchpad.net/~james-page/ubuntu/wily/juju-core/mir-fixes/+merge/274052 uses Built-Using and dh-golang, so juju-core is 'ok' on this front.

"jujud is still linked statically. Is this needed for the juju-core
copy in the archive?"

As mentioned in comment 119, this is ok for 15.10.

This should remain 'Incomplete' and can be marked 'Fix Committed' once https://code.launchpad.net/~james-page/ubuntu/wily/juju-core/mir-fixes/+merge/274052 is uploaded.