README: document the package initialization order caveat

Keeping the original lexical sorting of Go packages would be very hard, as a Go program may import an unknown number of Go packages, and we load and obfuscate one package at a time by design. One option would be to load all packages upfront when obfuscating main packages, but that would break the per-package caching of ofbuscated Go packages, causing a huge slow-down in builds. Another option would be to not obfuscate import paths, which would clearly cause a worsening of the obfuscation quality. The third option is to not attempt to keep the original order, and document that as a caveat in the README. I suspect the vast majority of Go projects won't be affected by this, and those few that might be can always use imports to enforce the order. Closes #693, per the decision above to not change what we do.
2 months ago · f08edd026d
parent 9a2ef369b2
commit f08edd026d
1 changed files with 5 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -172,6 +172,11 @@ to document the current shortcomings of this tool.
   var _ = reflect.TypeOf(Message{})
   ```

+* Go programs [are initialized](https://go.dev/ref/spec#Program_initialization) one package at a time,
+  where imported packages are always initialized before their importers,
+  and otherwise they are initialized in the lexical order of their import paths.
+  Since garble obfuscates import paths, this lexical order may change arbitrarily.
+
 * Go plugins are not currently supported; see [#87](https://github.com/burrowers/garble/issues/87).
 * Garble requires `git` to patch the linker. That can be avoided once go-gitdiff supports [non-strict patches](https://github.com/bluekeyes/go-gitdiff/issues/30).