snapd bundles golang dependencies despite being in main
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd (Ubuntu) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
It is security and MIR team policy to ensure that statically built golang packages in main use archive packages for their golang dependencies rather than bundling them in.
When putting snappy into main for xenial (see bug 1548887), there was a lot of work to properly depend on archive packages. That work seems to have regressed and it now appears that the snapd package is bundling all dependencies in as vendor modules. It looks like this bundling started in 2.16 (Sep 2016).
You can find some documentation on the policies:
- http://
- https:/
- http://
I'm guessing that the bundling was motivated by trusty support, which may not have the requisite archive packages in it? But we should have a discussion about the resulting policy breakage and what to do about it. I don't believe that discussion has happened yet.
Besides the support issues, this also means that snapd trunk can't be built directly (e.g. in a PPA).
Changed in snapd (Ubuntu): | |
status: | New → Triaged |
Snapd is a complex application that is constantly evolving (new features are being added in nearly every release made) and it is unreasonable to create something like snapd without depending on a new library or new version of a library as the need arises. Bringing each and every dependency back to 14.04, 16.04, 16.10 and 17.04 on an on-going basis is unrealistic as it would easily consume the time of a full-time engineer that we cannot allocate at this time. During the way the Debian and Ubuntu policy is structured this would also delay (possibly each new release) by weeks at a time.
Snapd has been granted exceptional SRU process in recognition of the unique role it plays in stable distributions and the unique shift in process it represents. While one could easily do everything "the old way", packaging each small golang library, going through weeks in NEW or in SRU (for every Ubuntu release around) this would severely compromise our mission to deliver a fantastic new package manager to everyone. At the same time you must realize that it would just be a specific class of busy work. There's no final difference if snapd copies a .go file into the vendor tree (which is managed automatically with go vendor), into some other directory or if we put it in Ubuntu. This all results in the exact same effect. We choose to recognize this fact and spend our resources resourcefully to maximize the effect our efforts have on the world.
One more significant argument is on the QA effort. A snap (not snapd) delivered to 14.04, 16.04, 16.10 and any other (non-ubuntu distribution) is the exact same binary object. QA effort spent on one release has non-zero, valuable measure on every other release. To maintain our aggressive release schedule we at the very least wish to build the exact same source everywhere (we cannot yet use the exact same binary but that would be even better for the reason outlined above).
I hope that this explanation makes sense and that we can all see the big picture. Having said that I would like to work with you to improve whatever we can as long as it doesn't severely stretch our resources.