After almost two years of planning, reviewing and writing code, figuring out and setting up the infrastructure, we’re happy to announce that StableLib is open to the public!
StableLib is a collection of vetted and reviewed high-quality open source packages for Go, professionally maintained by us. In other words, it’s a long-term support (LTS) distribution of Go packages.
Each package receives backward compatible updates, bug fixes and security issue fixes for three years, keeping compatibility with the current and future compilers (starting from Go 1.4).
We do the hard work of reviewing code, merging changes, investigating reported issues and communicating with upstreams, while your team develops software without worrying about compatibility changes in dependencies or third-party code quality. We also notify you about updates and send security alerts.
StableLib packages are available from the
You import them in your code:
go get to install or update:
go get -u stablelib.com/v1/crypto/siphash
go get tool hits our server, which replies with an URL of the Git
repository to fetch from our CDN. Since we use these repositories for
distribution, but not for development, they are lightweight: each commit
represents one version. All commits are signed with our GPG key, and
everything is served only via HTTPS (not HTTP, not git://, not even git+ssh://).
Later this year we will also release a stablelib tool to simplify common tasks and improve security of package distribution by automatically verifying our GPG signatures when you download or update a package.
While packages in StableLib retain backward compatibility your code won’t break if there is an update you can also vendor our packages using your favorite vendoring tool, for example, godep.
We are launching with 36 most useful packages: popular database drivers (MySQL/MariaDB, PostgreSQL, SQLite, Redis, Bolt, CDB), packages for web development (router, sessions, signed cookies, context, form processing, throttling, CSRF protection, security headers, websockets), modern cryptography (BLAKE2, SipHash, Ed25519 signatures, etc.), fast data compression (LZ4 and Snappy), MessagePack, unique string generator, LRU cache, bloom filters, leveled logging, etc.
You can browse all packages, view installation instructions, release notes, and jump to their documentation from there.
We plan to add more packages in the nearest future. Feel free to let us know what you would like to see in StableLib.
We are very grateful to the authors of packages included in StableLib.
If you’re a contributor to these packages, we want to reassure you that we will do everything in our power to support your work. Currently, we do so by reviewing code and sending patches, investigating bug reports sent to us, and sponsoring the development of some packages. In the future we want to hire a technical writer to improve documentation of all included packages, and we’re also looking at the possibility of sponsoring more contributors.
Most of the projects that we include don’t have an official release cycle: what’s available is either a development repository without any compatibility promise or a release repository with a major version switch via git tags or gopkg.in, and in this case the old version often becomes abandoned. We think that having a package in StableLib is beneficial for open source package authors: we all would rather work on new and exciting code rather than spending time on backporting security fixes to the stable version, so it’s a plus that someone else is doing this work.
We display upstream URL for each package on our website and in README, and, of course, the original licenses are honoured and listed in LICENSE files. We only include packages with liberal, non-viral licenses: BSD-like, MIT, Apache 2, or MPL, so that StableLib users don’t have to publish their proprietary code: there is no GPL/LGPL code.
Additionally, if you’re an author of an open source package (not necessarily
included in StableLib) feel free to import
in your open source code.
StableLib is free for open source and personal non-commercial projects.
Businesses can buy a monthly or yearly subscription for $79$20 per month per developer. Subscription gives you access to our CDN, notifications about updates and security vulnerability alerts, technical support, and, in the future, subscribers-only content, such as knowledge base and training materials.
StableLib is a stable foundation for your company’s Go projects, so if you’d rather spend time writing your software, and using third-party code, not finding or managing it, sign up now!
Dmitry Chestnykh, Founder
Update (Jul 2): new price as announced here