[tombh]

It seems odd to me that Golang treats Github as a first class citizen for package management, yet a second class citizen for core contributions.

I'm really only a dabbler in Golang, so would appreciate any context.

For instance I was affected by the recent go-bindata owner change[1]. The Github user deleted their account and some random user reregistered the original user's name and recreated the repo (albeit seemingly innocently to help everyone get their CIs running again).

Actually while we're on the subject, Golang's whole package management experience is surprisingly disappointing :/

[1]https://www.reddit.com/r/golang/comments/7vv9zz/popular_lib_...

[pokstad]

Go does not treat Github any differently than any other VCS provider when it comes to package management.

OG gophers vendor their deps into their repo and avoid creating dependencies on 3rd party code whenever possible. The Go stdlib is very full featured so it is not unrealistic.

The problem with the go-bindata could be avoided by always vendoring/forking your deps and never trust any VCS provider (e.g. GitHub, Bitbucket, source forge) to handle your critical dependency needs.

[heinrich5991]

Go does have special handling for Github: https://github.com/golang/go/blob/816154b06553a4cf8ee7ad089f....

[Vendan]

Except that that link also shows special handling for 5 other VCS hosts, and you can have your own website given the same special handling by putting meta tags in the html. Github is not given special handling that no other VCS host is allowed.

[joerichey]

Take a look at the dep[1] tool. It allows you to ship your project with all of its dependencies included. This means that only your source is needed to build your application/package.

The Gopkg.toml/Gopkg.lock files in dep are quite similar to Rust's Cargo.toml/Cargo.lock files. I think it's a good move as Rust has probably the best package management story out there.

Also, as the other comment mentioned, github.com is not "special" in any way. Any website with a git repo will work just as well. In fact, some key libraries are served from golang.org/x/<whatever>[2] not github.com.

[1]https://github.com/golang/dep [2]https://github.com/golang/go/wiki/SubRepositories

[howeyc]

If you need an internet connection to complete any part of your build you are doing it wrong.

Anyone who vendored, or at worst kept a local copies of their dependencies littered all over their machine somewhere would have been fine.