Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
I'm quite confident everyone would agree that dealing with C deps is a huge pain compared to go packages. I'm even developing a build command for my package to pull and build C deps before building the package.
When I saw vgo I thought, it would be nice if this did the work instead of having to write a build command. I know that would mean allowing arbitrary code execution unless go had it's own makefile/configure/etc... parser.
If it is not automatic and the user can inspect the build commands. I believe it's no more dangerous than putting in a readme asking users to download and install a C library,
go get was running the commands automatically without the user knowing before hand so I can understand why blocking that would be important. However if a user has to opt in with a flag then they are given the chance to audit the commands and is not any more harmful than a line in the readme saying go download and install this lib running these commands.