-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: cmd/go: partial vendoring #52604
Comments
previously #30240 |
This proposal has been added to the active column of the proposals project |
I think partial vendoring is a fine concept, but I wouldn't want to key it on However, there is one added wrinkle: the ...but that's probably ok, given lazy module loading! We would at least still be able to load the dependencies from modules whose versions are listed explicitly in the |
I'm not fixated on any particular solution, GOPRIVATE was just an off the top of my head suggestion. My primary goal is to be able to use the vendor capability in an organizational entity (MyOrg) to draw a line between modules "owned" by other entities (IOW: vendors) and those owned by MyOrg. This, in order to protect the viability of a critical Go program that depends on stuff owned by "someone else" where it is possible that that other stuff may just up and disappear. The secondary benefit is being able to avoid multiple copies of MyOrg modules in MyOrg's SCRaM system, which should make rolling out critical bug fixes in heavily reused MyOrg modules safer and easier. |
Vendoring only private modules would be fine. On some PAAS (Cloud Run for example) it's difficult to include private modules, it could be find to vendor only them. |
Is the point of this to save disk space? Why is it useful? |
@hherman1 for my use case i can commit my very little private module but i would not like to pollute my code history with all the other dependencies. |
Copying code owned by entity B protects entity A from being unable to compile their Go program because entity B deleted their repository. Copying one's own code into multiple projects does indeed waste disc space, but also makes search, tracking, management and maintenance more complicated. Programs owned by A that reuse a module also owned by A become more difficult to maintain by requiring a manual step to update the copy of the reused module in each project. Assume, say, fifty programs owned by A that all reuse module X which is also owned by A. Fifty copies of that module exist in the SCRaM system and there you have your wasted disc space. Also, to update each program when a bug in module X is fixed is easy if all fifty projects refer to the source repository of module X, more difficult when each project must be manually updated to copy the new module X code into all fifty projects. Certain kinds of search in that SCRaM system will also return fifty results, not just one, because of the multiple copies. The ability to distinguish between owned and not owned code when making a "vendor" copy also assists in management of other entity bounded operations, such as license change, tracking and management. |
If I understand correctly the manual step of updating censored code doesn’t seem so different from the manual step of incrementing the dependency version in go.mod, so it seems like you would still have the problem you’re describing even with partial vendoring. |
I'm not sure what you mean by censored code (versioned code?) but in our production environment it is relatively easy to update the module version of self owned modules across the whole repository. That said, is there a way to specify a version in go.mod such that, say, 1.2.* will match any version that starts with 1.2? In any event, module version update is just one of four issues I raised above. Perhaps the better solution is to just stop using vendoring and instead support this requirement in another system such as a read through cache that never evicts unless explicitly told to do so. |
Sounds like we should put this on hold for bandwidth from the cmd/go team. |
Placed on hold. |
The go mod vendor capability is great for insulating a working program from changes made in imported modules.
It would benefit from having the ability to download only those modules that are imported from external entities.
Within a single entity, every project that uses a popular module and the vendor capability will store a copy of the same code. With multiple projects referencing this popular module, multiple copies will be stored in the owning entities' source code repository.
Modifying the vendoring capability to download only modules owned by external entities would be a useful change. Reuse of the GOPRIVATE env var might make sense, but if overloading the semantics of this variable is problematic a new one could be added or a switch added to the command.
The text was updated successfully, but these errors were encountered: