[gentoo-dev] [PATCH 0/1] introduce an eclass to handle go modules (round 5)

[gentoo-dev] [PATCH 0/1] introduce an eclass to handle go modules (round 5)

[William Hubbs]

After some discussion with zmedico, this iteration uses EGO_VENDOR from
the previous eclasses so that you don't have to make a vendor tarball.

Thanks,

William

William Hubbs (1):
  go-module.eclass: introduce new eclass to handle go modules

 eclass/go-module.eclass | 161 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 161 insertions(+)
 create mode 100644 eclass/go-module.eclass

-- 
2.21.0

[gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules

[William Hubbs]

Signed-off-by: William Hubbs <williamh@gentoo.org>
---
 eclass/go-module.eclass | 161 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 161 insertions(+)
 create mode 100644 eclass/go-module.eclass

diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass
new file mode 100644
index 00000000000..6f609e94542
--- /dev/null
+++ b/eclass/go-module.eclass
@@ -0,0 +1,161 @@
+# Copyright 2019 gentoo authors
+# Distributed under the terms of the GNU General Public License v2
+
+# @ECLASS: go-module.eclass
+# @MAINTAINER:
+# William Hubbs <williamh@gentoo.org>
+# @SUPPORTED_EAPIS: 7
+# @BLURB: basic eclass for building software written in the go
+# programming language that uses go modules.
+# @DESCRIPTION:
+# This eclass provides some basic things needed by all software
+# written in the go programming language that uses go modules.
+#
+# You will know the software you are packaging uses modules because
+# it will have files named go.sum and go.mod in its top-level source
+# directory. If it does not have these files, use the golang-* eclasses.
+#
+# This eclass provides a src_unpack function which unpacks the 
+# first tarball mentioned in SRC_URI to the usual location and unpacks
+# any modules mentioned in EGO_VENDOR to ${S}/vendor if upstream doesn't
+# vendor its own dependencies.
+#
+# If upstream vendors its dependencies, setting EGO_VENDOR is an error.
+#
+# Please note that this eclass currently handles only tarballs
+# (.tar.gz), but support for more formats may be added in the future.
+#
+# Since Go programs are statically linked, it is important that your ebuild's
+# LICENSE= setting includes the licenses of all statically linked
+# dependencies. So please make sure it is accurate.
+#
+# @EXAMPLE:
+#
+# @CODE
+# EGO_VENDOR=(
+#	"github.com/xenolf/lego 6cac0ea7d8b28c889f709ec7fa92e92b82f490dd"
+# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8 github.com/golang/crypto"
+# )
+#
+# inherit go-module
+#
+# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz
+# ${EGO_VENDOR_URI}"
+# @CODE
+#
+# The above example will extract the tarball to ${S} and
+# extract the contents of EGO_VENDOR to ${S}/vendor.
+
+case ${EAPI:-0} in
+	7) ;;
+	*) die "${ECLASS} API in EAPI ${EAPI} not yet established."
+esac
+
+if [[ -z ${_GO_MODULE} ]]; then
+
+_GO_MODULE=1
+
+BDEPEND=">=dev-lang/go-1.12"
+
+# Force go to build in module mode.
+# In this mode the GOPATH environment variable is ignored.
+# this will become the default in the future.
+export GO111MODULE=on
+
+# The following go flags should be used for all builds.
+# -mod=vendor stopps downloading of dependencies from the internet.
+# -v prints the names of packages as they are compiled
+# -x prints commands as they are executed
+export GOFLAGS="-mod=vendor -v -x"
+
+# Do not complain about CFLAGS etc since go projects do not use them.
+QA_FLAGS_IGNORED='.*'
+
+# Go packages should not be stripped with strip(1).
+RESTRICT="strip"
+
+EXPORT_FUNCTIONS src_unpack pkg_postinst
+
+# @ECLASS-VARIABLE: EGO_VENDOR
+# @DESCRIPTION:
+# This variable contains a list of vendored packages.
+# The items of this array are strings that contain the
+# import path and the git commit hash for a vendored package.
+# If the import path does not start with github.com, the third argument
+# can be used to point to a github repository.
+
+declare -arg EGO_VENDOR
+
+_go-module_set_vendor_uri() {
+	EGO_VENDOR_URI=
+	local lib
+	for lib in "${EGO_VENDOR[@]}"; do
+		lib=(${lib})
+		if [[ -n ${lib[2]} ]]; then
+			EGO_VENDOR_URI+=" https://${lib[2]}/archive/${lib[1]}.tar.gz -> ${lib[2]//\//-}-${lib[1]}.tar.gz"
+		else
+			EGO_VENDOR_URI+=" https://${lib[0]}/archive/${lib[1]}.tar.gz -> ${lib[0]//\//-}-${lib[1]}.tar.gz"
+		fi
+	done
+	readonly EGO_VENDOR_URI
+}
+
+_go-module_set_vendor_uri
+unset -f _go-module_set_vendor_uri
+
+_go-module_dovendor() {
+	local VENDOR_PATH=$1 VENDORPN=$2 TARBALL=$3
+	rm -fr "${VENDOR_PATH}/${VENDORPN}" || die
+	mkdir -p "${VENDOR_PATH}/${VENDORPN}" || die
+	tar -C "${VENDOR_PATH}/${VENDORPN}" -x --strip-components 1\
+		-f "${DISTDIR}/${TARBALL}" || die
+}
+
+# @FUNCTION: go-module_src_unpack
+# @DESCRIPTION:
+# Extract the first archive from ${A} to ${S}, then extract
+# any sources mentioned in ${EGO_VENDOR} to ${S}/vendor.
+go-module_src_unpack() {
+	local lib vendor_path x
+	set -- ${A}
+	x="$1"
+	mkdir -p "${S}" || die
+	tar -C "${S}/" -x --strip-components 1 \
+		-f "${DISTDIR}/${x}" || die
+
+	if [[ -n "${EGO_VENDOR}" ]]; then
+		vendor_path="${S}/vendor"
+		if [[ -d "${vendor_path}" ]]; then
+			eerror "Upstream for ${P}.ebuild vendors dependencies."
+			die "Remove EGO_VENDOR from the ebuild."
+		fi
+		mkdir -p "${vendor_path}" || die
+		for lib in "${EGO_VENDOR[@]}"; do
+			lib=(${lib})
+			if [[ -n ${lib[2]} ]]; then
+				einfo "Vendoring ${lib[0]} ${lib[2]//\//-}-${lib[1]}.tar.gz"
+				_go-module_dovendor "${vendor_path}" ${lib[0]} \
+					${lib[2]//\//-}-${lib[1]}.tar.gz
+			else
+				einfo "Vendoring ${lib[0]} ${lib[0]//\//-}-${lib[1]}.tar.gz"
+				_go-module_dovendor "${vendor_path}" ${lib[0]} \
+				${lib[0]//\//-}-${lib[1]}.tar.gz
+			fi
+		done
+	fi
+}
+
+# @FUNCTION: go-module_pkg_postinst
+# @DESCRIPTION:
+# Display a warning about security updates for Go programs.
+go-module_pkg_postinst() {
+	ewarn "${PN} is written in the Go programming language."
+	ewarn "Since this language is statically linked, security"
+	ewarn "updates will be handled in individual packages and will be"
+	ewarn "difficult for us to track as a distribution."
+	ewarn "For this reason, please update any go packages asap when new"
+	ewarn "versions enter the tree or go stable if you are running the"
+	ewarn "stable tree."
+}
+
+fi
-- 
2.21.0

Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 6498 bytes --]

On Wed, 2019-09-18 at 15:26 -0500, William Hubbs wrote:
> Signed-off-by: William Hubbs <williamh@gentoo.org>
> ---
>  eclass/go-module.eclass | 161 ++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 161 insertions(+)
>  create mode 100644 eclass/go-module.eclass
> 
> diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass
> new file mode 100644
> index 00000000000..6f609e94542
> --- /dev/null
> +++ b/eclass/go-module.eclass
> @@ -0,0 +1,161 @@
> +# Copyright 2019 gentoo authors
> +# Distributed under the terms of the GNU General Public License v2
> +
> +# @ECLASS: go-module.eclass
> +# @MAINTAINER:
> +# William Hubbs <williamh@gentoo.org>
> +# @SUPPORTED_EAPIS: 7
> +# @BLURB: basic eclass for building software written in the go
> +# programming language that uses go modules.
> +# @DESCRIPTION:
> +# This eclass provides some basic things needed by all software
> +# written in the go programming language that uses go modules.
> +#
> +# You will know the software you are packaging uses modules because
> +# it will have files named go.sum and go.mod in its top-level source
> +# directory. If it does not have these files, use the golang-* eclasses.
> +#
> +# This eclass provides a src_unpack function which unpacks the 
> +# first tarball mentioned in SRC_URI to the usual location and unpacks
> +# any modules mentioned in EGO_VENDOR to ${S}/vendor if upstream doesn't
> +# vendor its own dependencies.
> +#
> +# If upstream vendors its dependencies, setting EGO_VENDOR is an error.
> +#
> +# Please note that this eclass currently handles only tarballs
> +# (.tar.gz), but support for more formats may be added in the future.
> +#
> +# Since Go programs are statically linked, it is important that your ebuild's
> +# LICENSE= setting includes the licenses of all statically linked
> +# dependencies. So please make sure it is accurate.
> +#
> +# @EXAMPLE:
> +#
> +# @CODE
> +# EGO_VENDOR=(
> +#	"github.com/xenolf/lego 6cac0ea7d8b28c889f709ec7fa92e92b82f490dd"
> +# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8 github.com/golang/crypto"
> +# )
> +#
> +# inherit go-module
> +#
> +# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz
> +# ${EGO_VENDOR_URI}"
> +# @CODE
> +#
> +# The above example will extract the tarball to ${S} and
> +# extract the contents of EGO_VENDOR to ${S}/vendor.
> +
> +case ${EAPI:-0} in
> +	7) ;;
> +	*) die "${ECLASS} API in EAPI ${EAPI} not yet established."
> +esac
> +
> +if [[ -z ${_GO_MODULE} ]]; then
> +
> +_GO_MODULE=1
> +
> +BDEPEND=">=dev-lang/go-1.12"
> +
> +# Force go to build in module mode.
> +# In this mode the GOPATH environment variable is ignored.
> +# this will become the default in the future.
> +export GO111MODULE=on
> +
> +# The following go flags should be used for all builds.
> +# -mod=vendor stopps downloading of dependencies from the internet.
> +# -v prints the names of packages as they are compiled
> +# -x prints commands as they are executed
> +export GOFLAGS="-mod=vendor -v -x"
> +
> +# Do not complain about CFLAGS etc since go projects do not use them.
> +QA_FLAGS_IGNORED='.*'
> +
> +# Go packages should not be stripped with strip(1).
> +RESTRICT="strip"
> +
> +EXPORT_FUNCTIONS src_unpack pkg_postinst
> +
> +# @ECLASS-VARIABLE: EGO_VENDOR
> +# @DESCRIPTION:
> +# This variable contains a list of vendored packages.
> +# The items of this array are strings that contain the
> +# import path and the git commit hash for a vendored package.
> +# If the import path does not start with github.com, the third argument
> +# can be used to point to a github repository.
> +
> +declare -arg EGO_VENDOR
> +
> +_go-module_set_vendor_uri() {
> +	EGO_VENDOR_URI=
> +	local lib
> +	for lib in "${EGO_VENDOR[@]}"; do
> +		lib=(${lib})
> +		if [[ -n ${lib[2]} ]]; then
> +			EGO_VENDOR_URI+=" https://${lib[2]}/archive/${lib[1]}.tar.gz -> ${lib[2]//\//-}-${lib[1]}.tar.gz"
> +		else
> +			EGO_VENDOR_URI+=" https://${lib[0]}/archive/${lib[1]}.tar.gz -> ${lib[0]//\//-}-${lib[1]}.tar.gz"
> +		fi
> +	done
> +	readonly EGO_VENDOR_URI
> +}
> +
> +_go-module_set_vendor_uri
> +unset -f _go-module_set_vendor_uri
> +
> +_go-module_dovendor() {
> +	local VENDOR_PATH=$1 VENDORPN=$2 TARBALL=$3
> +	rm -fr "${VENDOR_PATH}/${VENDORPN}" || die
> +	mkdir -p "${VENDOR_PATH}/${VENDORPN}" || die
> +	tar -C "${VENDOR_PATH}/${VENDORPN}" -x --strip-components 1\
> +		-f "${DISTDIR}/${TARBALL}" || die
> +}
> +
> +# @FUNCTION: go-module_src_unpack
> +# @DESCRIPTION:
> +# Extract the first archive from ${A} to ${S}, then extract
> +# any sources mentioned in ${EGO_VENDOR} to ${S}/vendor.
> +go-module_src_unpack() {
> +	local lib vendor_path x
> +	set -- ${A}
> +	x="$1"
> +	mkdir -p "${S}" || die
> +	tar -C "${S}/" -x --strip-components 1 \
> +		-f "${DISTDIR}/${x}" || die
> +
> +	if [[ -n "${EGO_VENDOR}" ]]; then
> +		vendor_path="${S}/vendor"
> +		if [[ -d "${vendor_path}" ]]; then
> +			eerror "Upstream for ${P}.ebuild vendors dependencies."
> +			die "Remove EGO_VENDOR from the ebuild."
> +		fi
> +		mkdir -p "${vendor_path}" || die
> +		for lib in "${EGO_VENDOR[@]}"; do
> +			lib=(${lib})
> +			if [[ -n ${lib[2]} ]]; then
> +				einfo "Vendoring ${lib[0]} ${lib[2]//\//-}-${lib[1]}.tar.gz"
> +				_go-module_dovendor "${vendor_path}" ${lib[0]} \
> +					${lib[2]//\//-}-${lib[1]}.tar.gz
> +			else
> +				einfo "Vendoring ${lib[0]} ${lib[0]//\//-}-${lib[1]}.tar.gz"
> +				_go-module_dovendor "${vendor_path}" ${lib[0]} \
> +				${lib[0]//\//-}-${lib[1]}.tar.gz
> +			fi
> +		done
> +	fi
> +}
> +
> +# @FUNCTION: go-module_pkg_postinst
> +# @DESCRIPTION:
> +# Display a warning about security updates for Go programs.
> +go-module_pkg_postinst() {
> +	ewarn "${PN} is written in the Go programming language."
> +	ewarn "Since this language is statically linked, security"
> +	ewarn "updates will be handled in individual packages and will be"
> +	ewarn "difficult for us to track as a distribution."
> +	ewarn "For this reason, please update any go packages asap when new"
> +	ewarn "versions enter the tree or go stable if you are running the"
> +	ewarn "stable tree."

I don't really understand why you're adding it to *this* eclass.  Isn't
it true for all Go packages?  So I suppose golang-* eclasses are
affected as well.

> +}
> +
> +fi

-- 
Best regards,
Michał Górny


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 7224 bytes --]

On Wed, Sep 18, 2019 at 10:29:12PM +0200, Michał Górny wrote:
> On Wed, 2019-09-18 at 15:26 -0500, William Hubbs wrote:
> > Signed-off-by: William Hubbs <williamh@gentoo.org>
> > ---
> >  eclass/go-module.eclass | 161 ++++++++++++++++++++++++++++++++++++++++
> >  1 file changed, 161 insertions(+)
> >  create mode 100644 eclass/go-module.eclass
> > 
> > diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass
> > new file mode 100644
> > index 00000000000..6f609e94542
> > --- /dev/null
> > +++ b/eclass/go-module.eclass
> > @@ -0,0 +1,161 @@
> > +# Copyright 2019 gentoo authors
> > +# Distributed under the terms of the GNU General Public License v2
> > +
> > +# @ECLASS: go-module.eclass
> > +# @MAINTAINER:
> > +# William Hubbs <williamh@gentoo.org>
> > +# @SUPPORTED_EAPIS: 7
> > +# @BLURB: basic eclass for building software written in the go
> > +# programming language that uses go modules.
> > +# @DESCRIPTION:
> > +# This eclass provides some basic things needed by all software
> > +# written in the go programming language that uses go modules.
> > +#
> > +# You will know the software you are packaging uses modules because
> > +# it will have files named go.sum and go.mod in its top-level source
> > +# directory. If it does not have these files, use the golang-* eclasses.
> > +#
> > +# This eclass provides a src_unpack function which unpacks the 
> > +# first tarball mentioned in SRC_URI to the usual location and unpacks
> > +# any modules mentioned in EGO_VENDOR to ${S}/vendor if upstream doesn't
> > +# vendor its own dependencies.
> > +#
> > +# If upstream vendors its dependencies, setting EGO_VENDOR is an error.
> > +#
> > +# Please note that this eclass currently handles only tarballs
> > +# (.tar.gz), but support for more formats may be added in the future.
> > +#
> > +# Since Go programs are statically linked, it is important that your ebuild's
> > +# LICENSE= setting includes the licenses of all statically linked
> > +# dependencies. So please make sure it is accurate.
> > +#
> > +# @EXAMPLE:
> > +#
> > +# @CODE
> > +# EGO_VENDOR=(
> > +#	"github.com/xenolf/lego 6cac0ea7d8b28c889f709ec7fa92e92b82f490dd"
> > +# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8 github.com/golang/crypto"
> > +# )
> > +#
> > +# inherit go-module
> > +#
> > +# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz
> > +# ${EGO_VENDOR_URI}"
> > +# @CODE
> > +#
> > +# The above example will extract the tarball to ${S} and
> > +# extract the contents of EGO_VENDOR to ${S}/vendor.
> > +
> > +case ${EAPI:-0} in
> > +	7) ;;
> > +	*) die "${ECLASS} API in EAPI ${EAPI} not yet established."
> > +esac
> > +
> > +if [[ -z ${_GO_MODULE} ]]; then
> > +
> > +_GO_MODULE=1
> > +
> > +BDEPEND=">=dev-lang/go-1.12"
> > +
> > +# Force go to build in module mode.
> > +# In this mode the GOPATH environment variable is ignored.
> > +# this will become the default in the future.
> > +export GO111MODULE=on
> > +
> > +# The following go flags should be used for all builds.
> > +# -mod=vendor stopps downloading of dependencies from the internet.
> > +# -v prints the names of packages as they are compiled
> > +# -x prints commands as they are executed
> > +export GOFLAGS="-mod=vendor -v -x"
> > +
> > +# Do not complain about CFLAGS etc since go projects do not use them.
> > +QA_FLAGS_IGNORED='.*'
> > +
> > +# Go packages should not be stripped with strip(1).
> > +RESTRICT="strip"
> > +
> > +EXPORT_FUNCTIONS src_unpack pkg_postinst
> > +
> > +# @ECLASS-VARIABLE: EGO_VENDOR
> > +# @DESCRIPTION:
> > +# This variable contains a list of vendored packages.
> > +# The items of this array are strings that contain the
> > +# import path and the git commit hash for a vendored package.
> > +# If the import path does not start with github.com, the third argument
> > +# can be used to point to a github repository.
> > +
> > +declare -arg EGO_VENDOR
> > +
> > +_go-module_set_vendor_uri() {
> > +	EGO_VENDOR_URI=
> > +	local lib
> > +	for lib in "${EGO_VENDOR[@]}"; do
> > +		lib=(${lib})
> > +		if [[ -n ${lib[2]} ]]; then
> > +			EGO_VENDOR_URI+=" https://${lib[2]}/archive/${lib[1]}.tar.gz -> ${lib[2]//\//-}-${lib[1]}.tar.gz"
> > +		else
> > +			EGO_VENDOR_URI+=" https://${lib[0]}/archive/${lib[1]}.tar.gz -> ${lib[0]//\//-}-${lib[1]}.tar.gz"
> > +		fi
> > +	done
> > +	readonly EGO_VENDOR_URI
> > +}
> > +
> > +_go-module_set_vendor_uri
> > +unset -f _go-module_set_vendor_uri
> > +
> > +_go-module_dovendor() {
> > +	local VENDOR_PATH=$1 VENDORPN=$2 TARBALL=$3
> > +	rm -fr "${VENDOR_PATH}/${VENDORPN}" || die
> > +	mkdir -p "${VENDOR_PATH}/${VENDORPN}" || die
> > +	tar -C "${VENDOR_PATH}/${VENDORPN}" -x --strip-components 1\
> > +		-f "${DISTDIR}/${TARBALL}" || die
> > +}
> > +
> > +# @FUNCTION: go-module_src_unpack
> > +# @DESCRIPTION:
> > +# Extract the first archive from ${A} to ${S}, then extract
> > +# any sources mentioned in ${EGO_VENDOR} to ${S}/vendor.
> > +go-module_src_unpack() {
> > +	local lib vendor_path x
> > +	set -- ${A}
> > +	x="$1"
> > +	mkdir -p "${S}" || die
> > +	tar -C "${S}/" -x --strip-components 1 \
> > +		-f "${DISTDIR}/${x}" || die
> > +
> > +	if [[ -n "${EGO_VENDOR}" ]]; then
> > +		vendor_path="${S}/vendor"
> > +		if [[ -d "${vendor_path}" ]]; then
> > +			eerror "Upstream for ${P}.ebuild vendors dependencies."
> > +			die "Remove EGO_VENDOR from the ebuild."
> > +		fi
> > +		mkdir -p "${vendor_path}" || die
> > +		for lib in "${EGO_VENDOR[@]}"; do
> > +			lib=(${lib})
> > +			if [[ -n ${lib[2]} ]]; then
> > +				einfo "Vendoring ${lib[0]} ${lib[2]//\//-}-${lib[1]}.tar.gz"
> > +				_go-module_dovendor "${vendor_path}" ${lib[0]} \
> > +					${lib[2]//\//-}-${lib[1]}.tar.gz
> > +			else
> > +				einfo "Vendoring ${lib[0]} ${lib[0]//\//-}-${lib[1]}.tar.gz"
> > +				_go-module_dovendor "${vendor_path}" ${lib[0]} \
> > +				${lib[0]//\//-}-${lib[1]}.tar.gz
> > +			fi
> > +		done
> > +	fi
> > +}
> > +
> > +# @FUNCTION: go-module_pkg_postinst
> > +# @DESCRIPTION:
> > +# Display a warning about security updates for Go programs.
> > +go-module_pkg_postinst() {
> > +	ewarn "${PN} is written in the Go programming language."
> > +	ewarn "Since this language is statically linked, security"
> > +	ewarn "updates will be handled in individual packages and will be"
> > +	ewarn "difficult for us to track as a distribution."
> > +	ewarn "For this reason, please update any go packages asap when new"
> > +	ewarn "versions enter the tree or go stable if you are running the"
> > +	ewarn "stable tree."
> 
> I don't really understand why you're adding it to *this* eclass.  Isn't
> it true for all Go packages?  So I suppose golang-* eclasses are
> affected as well.

You are correct, they are affected. No one, including myself, caught
that during the review cycle for those eclasses.
I'm not sure of a way we can go back and fix that without breaking
compatibility.

The goal here is that the go upstream world will move to modules and
eventually we will be able to move off of and get rid of the golang-*
eclasses.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules

[Michael Orlitzky]

On 9/18/19 5:28 PM, William Hubbs wrote:
>>
>> I don't really understand why you're adding it to *this* eclass.  Isn't
>> it true for all Go packages?  So I suppose golang-* eclasses are
>> affected as well.
> 
> You are correct, they are affected. No one, including myself, caught
> that during the review cycle for those eclasses.

I've been bitching about this for at least four years:

https://archives.gentoo.org/gentoo-dev/message/2e89a3ccf9ceb4b61418d0ce30939f92