-
-
Notifications
You must be signed in to change notification settings - Fork 353
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make exercism binary "go get"-able #17
Comments
That's excellent, thank you! |
I got myself stuck. Assuming that $GOPATH/src/github.com/$ME/$PROJECT/github.com/third_party/foo Or rather: $GOPATH/src/github.com/$ME/$PROJECT/third_party/foo And then when I import it, do I reference it as though it were still the On a related note, is there a blog post that discusses dependency management (pros? cons? pains? gotchas? religious wars?)? |
I think you want this one
and then your import statement is something like
It's long, but it'll work. You can reduce it down if you like, one possibility:
with the import
There's no hard-and-fast rule as to how it should be done, but this method is easy to understand and works well. (It's how we handle open source stuff internally at Google.) There is no small amount of consternation about this in the Go community, mainly because people really don't like copying and pasting code. From many corners there are calls for more automated solutions. So far we (the Go team) have resisted building some mechanisms to handle the versioning stuff, because fundamentally the problem is intractable and we can't see a solution that would work well for most people. Nathan Youngman produced a good doc explaining the situation. It's also a call-to-arms to the community to sort their shit out. I think the dependency management situation will improve through a combination of documentation and tooling, but I'm not sure what the final solution might be. |
My biggest concern is figuring out what a good/acceptable convention is, and then sticking with it. My second biggest concern is not putting my foot in my mouth with respect to a complicated, emotional topic. Thanks for the help with both of these :) |
You probably want to automate it. |
Would you elaborate please? At the moment, if someone clones the repository and says |
The suggestion is to clone your dependencies inside the repository to avoid Andrew
|
Ah, thanks for clarifying. Yes, I'm going to stick with this unless there are actual problems. |
Actually, now that I think this through, I think this issue can be closed. Thanks for the help, everyone! |
* Bump Go tooling to use 1.20.x for release and testing. ``` Scanning your code and 207 packages across 19 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#3: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.19.8 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext exercism#2: cli/cli.go:199:23: cli.extractBinary calls io.Copy, which eventually calls tls.Conn.Read exercism#3: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which calls tls.Conn.Write exercism#4: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Dialer.DialContext Vulnerability exercism#4: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.19.8 Fixed in: net/http@go1.20.6 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do exercism#2: cmd/troubleshoot.go:206:32: cmd.apiPing.Call calls http.Client.Get Vulnerability exercism#5: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.19.8 Fixed in: runtime@go1.20.5 Example traces found: #1: debug/debug.go:80:12: debug.DumpResponse calls log.Fatal, which eventually calls runtime.Caller exercism#2: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Callers exercism#3: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.CallersFrames exercism#4: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Frames.Next exercism#5: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.GC exercism#6: workspace/exercise_metadata.go:66:24: workspace.ExerciseMetadata.Write calls json.Marshal, which eventually calls runtime.GOMAXPROCS exercism#7: config/config.go:57:18: config.Dir calls os.Getenv, which eventually calls runtime.GOROOT exercism#8: cli/cli.go:202:29: cli.extractBinary calls os.File.Seek, which eventually calls runtime.KeepAlive exercism#9: cli/cli.go:135:2: cli.CLI.Upgrade calls os.File.Close, which eventually calls runtime.SetFinalizer exercism#10: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which eventually calls runtime.Stack exercism#11: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.TypeAssertionError.Error exercism#12: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.defaultMemProfileRate exercism#13: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.efaceOf exercism#14: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.findfunc exercism#15: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.float64frombits exercism#16: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.forcegchelper exercism#17: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta exercism#18: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.plainError.Error exercism#19: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.throw Vulnerability exercism#6: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#7: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#8: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute ```
* Bump Go tooling to use 1.20.x for release and testing. ``` Scanning your code and 207 packages across 19 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#3: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.19.8 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext exercism#2: cli/cli.go:199:23: cli.extractBinary calls io.Copy, which eventually calls tls.Conn.Read exercism#3: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which calls tls.Conn.Write exercism#4: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Dialer.DialContext Vulnerability exercism#4: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.19.8 Fixed in: net/http@go1.20.6 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do exercism#2: cmd/troubleshoot.go:206:32: cmd.apiPing.Call calls http.Client.Get Vulnerability exercism#5: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.19.8 Fixed in: runtime@go1.20.5 Example traces found: #1: debug/debug.go:80:12: debug.DumpResponse calls log.Fatal, which eventually calls runtime.Caller exercism#2: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Callers exercism#3: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.CallersFrames exercism#4: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Frames.Next exercism#5: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.GC exercism#6: workspace/exercise_metadata.go:66:24: workspace.ExerciseMetadata.Write calls json.Marshal, which eventually calls runtime.GOMAXPROCS exercism#7: config/config.go:57:18: config.Dir calls os.Getenv, which eventually calls runtime.GOROOT exercism#8: cli/cli.go:202:29: cli.extractBinary calls os.File.Seek, which eventually calls runtime.KeepAlive exercism#9: cli/cli.go:135:2: cli.CLI.Upgrade calls os.File.Close, which eventually calls runtime.SetFinalizer exercism#10: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which eventually calls runtime.Stack exercism#11: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.TypeAssertionError.Error exercism#12: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.defaultMemProfileRate exercism#13: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.efaceOf exercism#14: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.findfunc exercism#15: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.float64frombits exercism#16: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.forcegchelper exercism#17: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta exercism#18: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.plainError.Error exercism#19: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.throw Vulnerability exercism#6: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#7: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability exercism#8: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute ```
* Bump minimum Go version to 1.18 This change bumps the minimum Go version to 1.18 to take advantage of a number of fixes to the language, while matching the minimum version for a number of key dependencies which have been moving away from Go 1.15. This change drops support for Go 1.15 in the Exercism CLI. * Bump minimum go version to 1.19 * fix: update build tags to Go 1.18 syntax ``` ~> go1.18.10 fix ./... ``` * Replace calls to deprecated io/ioutil pkg * fix(deps): update module github.com/spf13/viper to v1.15.0 This change bumps spf13/viper to address reported vulnerabilities in yaml.v2 ``` ~> govulncheck -test ./... Scanning your code and 210 packages across 21 dependent modules for known vulnerabilities... Vulnerability #1: GO-2022-0956 Excessive resource consumption in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2022-0956 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.4 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal Vulnerability #2: GO-2021-0061 Denial of service in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2021-0061 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.3 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal Vulnerability #3: GO-2020-0036 Excessive resource consumption in YAML parsing in gopkg.in/yaml.v2 More info: https://pkg.go.dev/vuln/GO-2020-0036 Module: gopkg.in/yaml.v2 Found in: gopkg.in/yaml.v2@v2.0.0-20170721122051-25c4ec802a7d Fixed in: gopkg.in/yaml.v2@v2.2.8 Example traces found: #1: cmd/submit.go:129:23: cmd.getExerciseSolutionFiles calls viper.Viper.ReadInConfig, which eventually calls yaml.Unmarshal ``` * deps: update module github.com/spf13/cobra to v1.7.0 * deps: update module github.com/stretchr/testify to v1.8.4 * workflows/ci.yml: Add multiple Go versions to testing matrix This change officially removes Go 1.15 from the testing matrix and adds the Go versions used for supporting the Exercism CLI. Namely Go 1.19, 1.20, and 1.21.x. * Bump minimum Go version to 1.20 * Bump Go tooling to use 1.20.x for release and testing. ``` Scanning your code and 207 packages across 19 dependent modules for known vulnerabilities... Vulnerability #1: GO-2023-2043 Improper handling of special tags within script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2043 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability #2: GO-2023-2041 Improper handling of HTML-like comments in script contexts in html/template More info: https://pkg.go.dev/vuln/GO-2023-2041 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.21.1 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability #3: GO-2023-1987 Large RSA keys can cause high CPU usage in crypto/tls More info: https://pkg.go.dev/vuln/GO-2023-1987 Standard library Found in: crypto/tls@go1.19.8 Fixed in: crypto/tls@go1.21rc4 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Conn.HandshakeContext #2: cli/cli.go:199:23: cli.extractBinary calls io.Copy, which eventually calls tls.Conn.Read #3: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which calls tls.Conn.Write #4: api/client.go:68:25: api.Client.Do calls http.Client.Do, which eventually calls tls.Dialer.DialContext Vulnerability #4: GO-2023-1878 Insufficient sanitization of Host header in net/http More info: https://pkg.go.dev/vuln/GO-2023-1878 Standard library Found in: net/http@go1.19.8 Fixed in: net/http@go1.20.6 Example traces found: #1: api/client.go:68:25: api.Client.Do calls http.Client.Do #2: cmd/troubleshoot.go:206:32: cmd.apiPing.Call calls http.Client.Get Vulnerability #5: GO-2023-1840 Unsafe behavior in setuid/setgid binaries in runtime More info: https://pkg.go.dev/vuln/GO-2023-1840 Standard library Found in: runtime@go1.19.8 Fixed in: runtime@go1.20.5 Example traces found: #1: debug/debug.go:80:12: debug.DumpResponse calls log.Fatal, which eventually calls runtime.Caller #2: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Callers #3: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.CallersFrames #4: workspace/exercise_metadata.go:39:26: workspace.NewExerciseMetadata calls json.Unmarshal, which eventually calls runtime.Frames.Next #5: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.GC #6: workspace/exercise_metadata.go:66:24: workspace.ExerciseMetadata.Write calls json.Marshal, which eventually calls runtime.GOMAXPROCS #7: config/config.go:57:18: config.Dir calls os.Getenv, which eventually calls runtime.GOROOT #8: cli/cli.go:202:29: cli.extractBinary calls os.File.Seek, which eventually calls runtime.KeepAlive #9: cli/cli.go:135:2: cli.CLI.Upgrade calls os.File.Close, which eventually calls runtime.SetFinalizer #10: debug/debug.go:32:14: debug.Printf calls fmt.Fprintf, which eventually calls runtime.Stack #11: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.TypeAssertionError.Error #12: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.defaultMemProfileRate #13: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.efaceOf #14: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.findfunc #15: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which calls runtime.float64frombits #16: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.forcegchelper #17: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.funcMaxSPDelta #18: cmd/root.go:39:27: cmd.Execute calls cobra.Command.Execute, which eventually calls runtime.plainError.Error #19: workspace/test_configurations.go:5:2: workspace.init calls runtime.init, which eventually calls runtime.throw Vulnerability #6: GO-2023-1753 Improper handling of empty HTML attributes in html/template More info: https://pkg.go.dev/vuln/GO-2023-1753 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability #7: GO-2023-1752 Improper handling of JavaScript whitespace in html/template More info: https://pkg.go.dev/vuln/GO-2023-1752 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute Vulnerability #8: GO-2023-1751 Improper sanitization of CSS values in html/template More info: https://pkg.go.dev/vuln/GO-2023-1751 Standard library Found in: html/template@go1.19.8 Fixed in: html/template@go1.20.4 Example traces found: #1: cmd/troubleshoot.go:127:20: cmd.Status.compile calls template.Template.Execute ```
See the second section of this article: http://blog.golang.org/organizing-go-code
It would be great to be able to type "go get github.com/msgehard/go-exercism/exercism" to build and install the command line tool.
To handle the external dependencies, check a copy of them into your repo under third_party/foo, and rewrite the import paths. This is the approach we take internally at Google and in the camlistore.org project. It means you don't need to mess around with git sub-repositories either, which is either a plus or a minus depending on how you look at it.
The text was updated successfully, but these errors were encountered: