-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checking in vendored dependencies? #1097
Comments
Hi @timoreimann
Good luck with that!
That's not really the case in fact. It sadly happens quite often. The last time we talk about that, we agree to test vendoring dependencies. We just need a PR... |
We have been doing this internally at my work place for quite some time. It's not ideal (mostly because the Github code review flow is inconsistent and messy at times) but yet the best we could find.
I take this as an official invitation to provide a PR. :-) |
This same subject has come up frequently at Deis and in various Kubernetes projects. Let me offer up one very heinous issue with vendoring dependencies... it's nearly impossible to assert when someone has modified the source of a dependency and committed that along with other changes. This doesn't even have to be malicious. I think we've all run into the situation before where we went and hacked up someone else's library locally to add more debugging. This is safe when the vendored code is untracked, but if tracked, those sort of changes can accidentally be committed... and they're not likely to be noticed by reviewers. |
It works really ok (we do this on
Yes, that's why we need a check on that. On I am 👍 multiplied by 💯 for this 👼 |
Nice, I didn't realize the suppressing-vendor-changes UI feature finally made it in. 🎉
Is there some place in the docker build pipeline you could point me to where we could copy the idea from? (Not sure if we need it from the beginning though.) |
@timoreimann the check is here : https://github.com/docker/docker/blob/master/hack/validate/vendor … I did the first script (then it changed when we changed the tool we use for vendoring) so I can definitely help to put this in place.
(we do 😉 — it's not that big of a deal anyway) |
👍 I have started to put together a PR. Will hopefully be able to push something soon. One thing I noticed was that there are separate glide files for the primary project and the integration tests. The introducing commit said something about glide not being able to "read the version info from docker/docker". Any ideas what's up with that, and if we need to maintain the disparity? FWIW, in my feature branch, I have removed the nested glide files and started to add the missing dependencies using glide one at a time, and the number of compile errors seems to drop steadily. Let me know if this is the wrong way to go though. |
@timoreimann I think we definitely want to keep the separate integration tests glide file.
Maybe glide is not able to read tags ? @errm do you remember ? |
Glide should support pretty much all of semver specifiers, branches, tags, and commit IDs. It also has a |
Yep, I know, we use semver tags with many deps. Maybe there is a specific issue with Docker, I don't know. Nevermind, can I suggest to NOT merge both glide.yml files for now, and stick with vendoring in your PR? |
@emilevauge yes, absolutely. Will try to be as KISS as possible. 😄 |
(I couldn't find any previous issues / pull requests on the following request, so I'm opening this one.)
I was wondering if the Traefik maintainers were open to checking in vendored dependencies into git. Right now, in order to build the project, developers first have to do
glide install
to bring in dependencies in the correct versions. For me, this is multiple unfavorable implications:glide install
on every git pull to guarantee consistency. One problem with this is that it's easy to forget and could lead to hard-to-trace bugs. The other concern is that you need to do it on every branch switch just to be safe.All of these problems would go away if the
vendor/
folder was checked into the VCS.Of course, there are also downsides:
I realize that there are numerous proponents for each of the commit/don't commit camps, and obviously I'm part of the commit camp. For me, the benefits clearly outnumber of drawbacks. I'd be curious to know how the Traefik project thinks about this matter and whether there's interest in "switching camps". :-)
Thanks!
The text was updated successfully, but these errors were encountered: