New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vgo: Building Go projects without assuming remote repository is accessible #24054
Comments
According to https://research.swtch.com/vgo-tour |
From the proposal, it seems that the The replacing workflow looks like a way to address the issue of necessary hot-patches to upstream code. That's another important benefit of our current vendoring workflow, so I'm glad that vgo supports something analogous as well! But I don't think that's a solution here. From the post, it seems like the assumption is that It also means that, every time we want to update a dependency, we'd have to update it in two steps, not one - we'd first have to update our internal fork (whether in the same repository as our main project or a different one) and then we'd have to update the minimal version specified in go.mod. The two-step update process adds friction, which is key to the second scenario described in the blog post above (preventing people from accidentally reintroducing known regressions). In that scenario, adding friction is the desired outcome, but I don't think we want to impose the same level of friction every time we update a dependency. |
First, let me +1 the point that having to set up services is a significant barrier to adoption in companies. I worked for one of the biggest Go shops in a sense, and even there having to set up a service, getting it on the right networks for both developers and CI, and maintaining it, would have been a problem and friction. Second, it looks to me like a I, too, am a fan of self-contained projects. In a way they are the static binaries of source trees. |
@FiloSottile to make sure I understand: in that case, the |
No, I'm talking about the |
|
It appears that vgo drops the
vendor/
directory. One of the advantages of thevendor/
directory in previous Go dependency management tools is that a project can be built with nothing but a local copy of the repository and the standard library.There are two situations that I have in mind:
Project A depends on github.com/b/c. The author of github.com/b/c deletes the repository (or, alternatively, has their account suspended by Github).
Project A depends on github.com/b/c. Project A needs to be built in a build system that does not have external network access to Github (ie, behind a private VPN).
With the
vendor/
directory, both of these situations are readily solved, because github.com/b/c is vendored inside the repository for Project A. It appears that, with vgo, the absence of the vendor directory means that we need to assume github.com/b/c will exist in perpetuity and will be accessible by the build system.In theory, it would be possible to build a cache of the packages, but this becomes resource-intensive. For personal projects, there really isn't an automated way to defend against (1). For (2), a company needs to invest resources into building a system that will cache packages locally and make them available. Not all companies that rely on Go will have the ability to do that - mine included.
Our company (Stripe) is primarily not a Go shop, but we do rely on Go for several key pieces of our infrastructure. One of the major advantages of Go which allowed it to gain adoption internally is that, unlike the other languages we use, it required a very minimal build infrastructure - all we needed to do was set up the standard Go toolchain. I don't think that we'd be able to build an internal cache or proxy specifically to support Go builds.
How do we address these issues in a vgo-based workflow?
The text was updated successfully, but these errors were encountered: