New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The go.sum shouldn't be used to retrieved the dependencies of a module #5
Comments
Ok, so what should we do about it? |
I wonder if you could just fetch the go.mod too and compute the dependency tree using this file only with the help of the go command. I don't have time right now to test that though. |
The go tool can tell you exactly what it intends to use after MVS is applied.
prints all required modules and versions.
will do the same but in JSON format for tools to consume. It looks like the method I suppose the tricky thing for this tool is currently it's simply pulling down If you like I can have a go at making that modification. |
If you think it's a more robust approach, and it doesn't mean rewriting the entire tool, then sure, that would be great. On the other hand if it's a significant departure from the current implementation then maybe it should be a new tool entirely and this one should be deprecated. (This project is the full extent of my knowledge and practical use of golang, so anything more complex will be beyond my ability/appetite to maintain.) |
I've got a work in progress that seems to do the right thing. The downside is that, depending on the project, it can inflate the vendored dependencies quite a lot compared to the existing approach. This is because the special Going with this approach might be good, though, as it would mean we could think about enabling module mode by default in the build infrastructure; In looking at this (I'm still pretty new to contributing ports) I'm wondering if there are improvements that can be made to how MacPorts handles this, as it's very hard to port anything that uses a custom domain name but that's not for this issue/repo I guess. :-) |
The go.sum contains only cryptographic hashes for some version of packages.
It doesn't gives the authority on which package version must be used for the build, if the
go.sum
file has not been cleaned up it may contains several versions which have been used over time.With this line
go2port/go2port.go
Line 550 in 0298d8d
we choose the last version found in the go.sum file for a given package which may not be the one actually used as the dependency computed by through the go.mod files specifications.
We may expect that the highest version is actually the one used but we do not have strong guarantee for that either
The text was updated successfully, but these errors were encountered: