Introduce the dependency vendoring tool: dep.

[mandrigin]

Use commits from go-ethereum@release/1.7 for most of the dependencies.

TODO

• push 1.7.3 + dep branch to status-im/go-ethereum
• use status-im/go-ethereum as a source in Gopkg.toml
• create an issue to use dep prune when it is ready (no need to since prune will be a part of ensure)
• create an issue to create a CI check based on this comment → issue #556
• rebase fix for make test-e2e when it is available

Closes #223

[mandrigin]

Split changes into 2 commits to simplify reviewing:

• actual changes in the configs;
• dependencies update.

[adambabik]

Have you created a Gopkg.toml in our go-ethereum fork already?

[mandrigin]

@adambabik I did it in mandrigin/go-ethereum. There is a TODO for moving that to the status-im fork.
I just wanted to synchronize the effort with @divan about cleaning up status-im/go-ethereum.

[mandrigin]

rebased to the current develop, so make test-e2e works again.

[mandrigin]

Double-checked difference between vendor directories in upstream go-ethereum@1.7 and this PR. In github.com there are no differences in source files. We just have a different set of packages here, but if the packages exists in both upstream and here the revision is the same.

[mandrigin]

@divan @adambabik I created develop branch in status-im/go-ethereum, pointed this PR to it.

[mandrigin]

Hmm, is it by design, to lint vendor? Don't we need to ignore that?

[mandrigin]

Resolved WIP status. I'll take a look at the linter problem later.

[adambabik]

Hmm, is it by design, to lint vendor? Don't we need to ignore that?

vendor/ is not linted (we specifically pass packages in lint.mk to gometalinter) but if there are files in linted packages that import some dependencies and types do not match, it can complain. In this case, it probably won't even compile.

[mandrigin]

@adambabik, hmm, all the tests pass on my machine, both e2e and unit. Is that possible if it doesn’t compile?

[adambabik]

Cache maybe in Travis? Have you checked that on Travis and your local machine there are the same files?

[mandrigin]

@adambabik so it was an incompatibility of 2 libraries btcd and btcutil, but in the packages that we never use ourselves. Found a compatible version of btcutil (btcd is used by Geth).

[mandrigin]

@adambabik all the checks are green now.

[adambabik]

@mandrigin awesome! Btw. these packages are used in extkeys which is used in geth/account.

[adambabik]

@mandrigin are these constraints https://github.com/status-im/go-ethereum/blob/develop/vendor/vendor.json included in any Gopkg.* file?

[mandrigin]

Yes, in the lock file.

[mandrigin]

@divan @adambabik I added a short doc[1] on how to use dep and what are the ideas behind it. Please, review and share your opinion there.

[dshulyak]

@mandrigin please do a push to status-go repository, it will run tests on public network

they are failing currently (#565) and it would be nice to see if this PR will affect them in any way

[mandrigin]

@dshulyak done! https://travis-ci.org/status-im/status-go/builds/332265950 should have a test on a public network.

[dshulyak]

thanks, looks like it doesn't, test hangs the same way :)

[adambabik]

@mandrigin can you please post instruction how I can test it from scratch? Can I just delete vendor/ from status-go and dep ensure should do the trick or I need to do something more?

[dshulyak]

works well, i have couple of questions/suggestions

1. I am seeing this warning, shouldn't we use override for transitive deps?

However, these projects are not direct dependencies of the current project:
they are not imported in any .go files, nor are they in the 'required' list in
Gopkg.toml. Dep only applies [[constraint]] rules to direct dependencies, so
these rules will have no effect.

Either import/require packages from these projects so that they become direct
dependencies, or convert each [[constraint]] to an [[override]] to enforce rules
on these projects, if they happen to be transitive dependencies,

2. Usually it is good practice to strip tests from vendor directory. Can we add find vendor -name '*_test.go' -delete until it is not support by dep ensure?

[dshulyak]

something is missing here)

[mandrigin]

oops 😄

[mandrigin]

fixed in the latest push

[dshulyak]

i think it worth noting how to install dependencies from scratch, e.g dep ensure

[mandrigin]

Do we ever get a repo state when you need to install all deps from scratch? (aka with empty vendor)?

[dshulyak]

i guess you are right

[mandrigin]

fixed in the latest push

[dshulyak]

i would like to separate our deps and go-ethereum, what do you think about it?

[mandrigin]

I tried it, it doesn't seem to worth it.

1. If we have SHAs in the lock file (as we should) it isn't propagated to the main dependency. That makes the versions we use in status-go slightly different from what go-ethereum is using. That is exactly what we want to avoid.

2. If we have SHAs as constraints in go-ethereum/Gopkg.lock (via manual labour), we will have dependency resolution issues if a dependency is used both in status-go and go-ethereum (otto, for instance).

So the most stable method I found is to keep all the dependencies in Gopkg.toml of status-go.

[dshulyak]

i meant just to put our own deps on top of the file, then go-ethereum and then all of the go-ethereum deps. but maybe thats not worth it

[mandrigin]

Ah, no, that is a good idea, I'll do that.
One thing to note is that we won't have much of our dependencies in the toml file anyways.
The idea of this toml/lock split that the toml file contains only constrained dependencies. If we don't care about the version, we don't add this dep in there. So basically we will have:

1. btcutils (constrained because btcd)
2. go-ethereum (constrained because a custom source and a custom branch)
3. geth dependencies.

dep ensures that SHAs are in the lock file and the components aren't updated until you specifically ask for it.

[mandrigin]

fixed in the latest push

[dshulyak]

Also our vendor became 112M with tests, 86M without tests. And before that it was 32M. Do you know what might be the reason for such big change?

[mandrigin]

@dshulyak that's because dep ensure w/o dep prune keeps all the sub-packages of a dependency. For instance, if we only use github.com/foo/package/subpackage1, it will download the whole github.com/foo/package. dep prune is supposed to fix that, but it will also kill all C sources that we want to keep.

[mandrigin]

@dshulyak

I am seeing this warning, shouldn't we use override for transitive deps?

How to reproduce that? Is it with clean vendor?

[dshulyak]

@mandrigin at first i removed vendor and saw this warning, but after initial sync i can reproduce it as well

i suspect it might be related to dep version, i installed it in the morning)

dep:
 version     : devel
 build date  : 
 git hash    : 
 go version  : go1.9.2
 go compiler : gc
 platform    : linux/amd64

[mandrigin]

@dshulyak this warning... I can't reproduce it locally 😢

[dshulyak]

@mandrigin I just discovered that the code required for pruning unused packages and test files was merged and will be a part of next release. but in the documentation, we are recommending to use dep tool straight from GitHub, so maybe it makes sense to rely on those features and make our vendor folder smaller from the beginning. what do you think?

0. Absorb prune into ensure golang/dep#944
1. Add prune options to manifest golang/dep#1226

[dshulyak]

Even if we can only remove tests it will reduce the size of vendor by ~30M

[mandrigin]

@dshulyak I think it might make sense have a follow-up issue when the dep's functionality is released. Knowing which dependencies we use looks more important for me than the repo size.

[dshulyak]

sure, sounds good to me

[dshulyak]

regarding the warning, the result was identical anyway, so I assume we can figure out its meaning later

[mandrigin]

@dshulyak #569

[themue]

The number of dependencies is alway horrifying.

LGTM

[dshulyak]

@mandrigin please rebase, i fixed mistake that blocked CI #572

[dshulyak]

good news, you don't have to :) restart of the job helped