Go package policies
Go previous to version 1.6 did not handle dependencies (very well). Every package inside alpine aports should be made reproducible (aka reproducible builds). Many Go projects still do not support proper verdoring and will pull all its depends from master branches. Because of this, packages made in different time spans could differ from each other (they are not bit to bit equal). We can prevent this if the source from which we build will always be the same (hence we use checksums to verify source tarballs which we fetch from upstream projects).
We currently have 3 situations a Go packages could belong to:
- A package has no vendor directory (or is empty).
- A package has a vendor directory and contains a vendor file.
- A package has a vendor directory has a vendor file but also includes all deps.
TODO: write something about glide for #1
write something about glide or another pkg manager for #2
just do go build for #3
Allow stripping of go bins https://github.com/golang/go/issues/1242