Hi Gophers,
I know that version locking, tag referencing, etc. has been an issue brought up on the mailing list _many_ times before. For the purpose of this post, I'll re-explain the problem in the next paragraph, but this post is different in that I propose a solution that requires zero changes to the actual Go tooling and actually requires no external tooling in and of itself.
The problem (skip if you understand): External, non standard library imports are tied to GitHub, BitBucket, etc. repositories. When you run `go get`, it just gets the tip of each repository if it hasn't before. `go get -u` updates from the tip if you already have the repository downloaded. The idea is elegant: master should always be stable, APIs should be stable. In practice, however, this is not the case for a good amount of time as something is being developed, and the uncertainty of change is frightening in many business cases. I'd like a way to lock an import to a specific ref (commit, tag, branch, etc.).
As stated earlier, this problem has been noted many times before. From what I can tell, there are a camp of people who don't think its a problem, a camp of people who believe it is a problem but don't have a good solution yet, and a far right group who identifies the problem and demands changes to Go itself immediately to handle it. The solution I'll propose will hopefully please (or at least compromise) with all of these groups.
I propose a free, open-source, and sponsored service called GopherVault. Due to the nature of the service, I wanted to ask for input prior to working on something like this.
GopherVault is simple. You replace your imports that look like this:
With ones that look like this:
Where the "8b59089" is the ref. That can be a commit hash, a tag name, a branch name, etc.
GopherVault itself uses the HTTP <meta> tag that `go get` supports to redirect to the proper ref in the repository. The elegance in this solution is that it is just _plain old Go_. You don't need an external tool, you don't need to even care about GopherVault. But it is there if you want it.
I work with a lot of companies (primarily because of Vagrant:
vagrantup.com), and I've proposed this solution and they're almost completely in favor of it. A few large companies I work with have explicitly said they can't use Go because the dependency situation is too much of a headache. They understand they can fork the repositories themselves, but the management and uncertainty involved is just too much compared to something like Maven. Something like GopherVault, especially if they can run a firewall (on-premise) version, is very attractive.
Let me address some complaints or feedback I expect to receive:
* SPOF (single point of failure) - It really is no more of an SPOF than GitHub, BitBucket, etc. If you care about availability, you can self-host one. Also, you usually aren't updating (`go get -u`) that often, so the effect of downtime would be minimal.
* Ugly URLs - They're marginally longer than what they were previously. The "meat" of the URL is still the suffix of the URL, just like every other Go dependency. I think this is a fair tradeoff and doesn't add a lot of noise.
* Why don't you have an external file mapping dependencies to refs? - Because it would require tooling (in Go itself or external). I want there to be ZERO dependencies, so that if someone new to Go doesn't even know about GopherVault, they can still use the standard tooling and it'll *just work*.
* Keeping all my dependencies locked at the same ref will be hard... - `gofmt -r` to the rescue.
* It isn't a problem! - I wish I could agree with this, but I've talked to enough businesses in the area that is most certainly is a point of contention. Its hard to put something in production on a wide-scale if you can't GUARANTEE what dependencies you're going to be getting. I realize to the people who are arguing this point, that that may sound silly, but I promise I'm just echoing what I've heard. I think my solution is a pragmatic solution to this, whether you like it or not.
Now, asking for comments like this prior to building something isn't typically my style. But because Git/Hg/etc. URLs dont support this sort of thing, GopherVault will have to cache these repositories, periodically updating them upstream. This requires a lot of bandwidth. If I bring something like GopheVault to fruition, I don't want it to ever go down, for obvious reasons. So I'm asking for comments on what people think prior to building it, so that I may go out and potentially get sponsorship SOLELY for hosting/bandwidth costs. This is a non-profit, free service to the community. And as I said earlier, it will be open source so people can run their own if they wished.
As for the ability to deliver: I have a reasonably strong background in being able to ship quality software, including open source software. My creds:
Thanks for your time. I appreciate it.
Best,
Mitchell