[Docker-maint] [pkg-go] Guidance for packaging Docker for Debian

Martín Ferrari tincho at tincho.org
Thu Mar 15 12:52:00 UTC 2018

On 15/03/18 09:22, Arnaud Rebillout wrote:

> So I made a beginner mistake, but I'm learning, and hopefully I'm on the
> right track !

Don't worry, we've all been there.. the go ecosystem is a mess.

> I don't know what's the best way to deal with this situation, so if
> anyone from the team can provide some advice, that would be super welcome !

I sometimes have kept small dependencies vendored in for convenience..
But keeping the whole containerd seems wrong to me. Specially
considering that it is something that can have security implications.
Vendoring means nobody knows that version is there, so no audits; and
the problem of patching separate copies, with different versions, when
there is some patch to urgently apply..

In an ideal world, we should try to convince the docker people to use
stable APIs (that means using only released non-alpha versions!), or at
least to fix the incompatibilities with 1.0.2. I think it is at least
worth a try.

The other way, which we have done many times, is to patch the software
ourselves. I have no idea why docker does not build with that version,
but sometimes it is not that difficult to fix.

my 2¢
Martín Ferrari (Tincho)

More information about the Docker-maint mailing list