The hard-coded dependencies on GitHub (not to mention they're dependencies to code owned by someone else) have always bothered me. It seems like it would create a real problem for compiling, auditing, or even just testing code in the long run; and this example relies on a ton of them.
I haven't kept up with the state of the art Go packaging; have these problems been addressed?
Vendoring is the approach taken by many. Personally, I use godep. It vendors into your source the different libraries that you are using at a specific version (git hash in all the cases I use). This handles the compiling and locks in the particular version of the library which you have presumably audited. As far as testing goes, as long as you are making use of interfaces, testing should be easy enough.
I haven't kept up with the state of the art Go packaging; have these problems been addressed?