using build package as a dependency registers global flags on an executable

[keegancsmith]

This behaviour has been around for 7 years: https://github.com/mmcloughlin/avo/blame/a9457af26c1cc87edd13736b660f6f47b55c498d/build/global.go#L38

However, it leads to the command line flags in avo leaking into executables. This just happened to our project (and I expect more) since go-git uses github.com/pjbgf/sha1cd which uses avo. sha1cd project updated to avo 0.6.0 about a year ago. In particular we also defined a flag called "cpuprofile", which then lead to a runtime panic when using our tool.

See our related issue at sourcegraph/zoekt#893

[mmcloughlin]

I think the problem is that github.com/pjbgf/sha1cd should not itself depend on avo, since avo is a dev/build dependency used for code generation.

A common pattern for avo code generators is to use a separate module. The Go standard library calls these _asm, for example:

https://github.com/golang/go/blob/80bf7d83edbb48e2411d755f0636565467bb5a56/src/crypto/md5/_asm/go.mod

Other projects call it asm or avo.

[mmcloughlin]

I've posted an issue pjbgf/sha1cd#148 and a demo of what a fix might look like pjbgf/sha1cd#149. Perhaps we can continue discussion there.

[keegancsmith]

I see the PR to sha1cd was merged. Following up to say thank you for the high quality work! Thanks!