~theoryware.net - The Go "Package Manager" is awesome

The Go "Package Manager" is awesome

Posted: 2022-09-15 #programming #commentary
3 minute read.

Introduction

One big feature of a lot of “modern” programming languages in this era is a package manager. This utility will often install libraries or programs in order to build/run software. Its a convenience tool that allows developers to just “get the stuff” that their program needs in order to run. However, these tools are double-edged swords, they have been under scrutiny for quite some time due to their ability to be a security nightmare.

Npm, PyPi, crates.io, RubyGems, you name it, have all had malicious packages that have been published at some point in their lifetimes. Fundamentally, these package managers are flawed in design. Rather than rant on a topic that has been argued to death, I would like to take a look at the go programming language, which in my opinion, has done a really good job of providing a “package manager” that tries to avoid the pitfalls of its competitors.

What Go does right

Go has a system for packaging libraries/software called modules. While I wont go into the details of a module’s content, I will show how they are installed, and its quite simple.

$ go get url/name/module

In fact, its so simple, I would argue that go get1 is just a git wrapper for go modules. It simply clones the source tree of the package from wherever it is on the web, and adds it to your $GOPATH (incidentally ~/go). You could technically just manually clone modules into your gopath, even though that might not be the smartest idea. But what sets this apart from other package systems is where the packages actually come from.

In the case of something like cargo or pip, packages come from crates.io or pypi.org respectively. Go modules don’t have a central location where they all are located, even if a hefty chunk of them exist on github. They instead are fetched directly from their source repository. In my opinion, this presents some unique advantages.

While these changes alone don’t completely solve the security problems from language package managers, it simplifies a lot of the issues that come with said tools, but doesn’t sacrifice their useful utility. Best of all, it promotes the benefits of freely-licensed and open source software.


  1. Technically, go get (as of version 1.18) will only install packages, and not build them, this does not detract from my point, but its good to mention such (instead, go install does that). ↩︎

Have a comment or question? Shoot an email to ~theorytoe/public-inbox@lists.sr.ht, my public inbox.

Articles:  <= =>

Liked the article? Send it to a friend!