wireguard-go relative imports
Patrick Glandien
patrick at synix.io
Tue Feb 20 10:10:14 CET 2018
(Pardon for previously sending an HTML response)
Dominik,
While relative imports are discouraged in Go, I could see it making it
sense in the context of highly sensitive code such as wireguard.
The go dependency system, including `go get`, don't guarantee as to
whether the code is authentic (e.g. signed).
This is a problem to the entire ecosystem of the language as recently
witnessed when someone replaced a commonly used go package hosted on
github after the user deleted his account: <https://redd.it/7vv9zz>.
I have not looked into the wireguard-go code very much, but if it's
merely meant to be a wireguard implementation in Go (not to be used as
a library) - then either relative import paths or top-level paths in
an isolated go workspace would be sensible and should not be changed
to the usual canonical URL imports.
— Patrick Glandien
More information about the WireGuard
mailing list