--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
A couple of initial questions:
- The "pretend you're importing github.com/foo/bar but actually pull it from localgit.host/foo/bar" functionality of dep was going to really simplify things for us. I can't quite tell whether vgo includes that functionality or not. We would want to do it at the monorepo level: ie. *everything* should use our forked version of the `glog` and `protobuf` packages.
- For our (go monorepo) usecase: do you envision a single go.mod file being placed at the root, or would we sprinkle them as needed for each sub-project in the monorepo? Does vgo search upward for go.mod files?
- More details on the zipfile module representation will be welcome.
- Getting rid of GOPATH is nice. Where will `vgo install` drop binaries?
I love this. I want it now.
I've struggled with `glide` and `dep` dependency hell a lot in my Go projects (especially those that use the Kubernetes client library, which abuses "I, the library author, can define byzantine constraints on my users" to the extreme). The way I've described it informally is that traditional "arbitrary version selection" algorithms create the wrong incentive structure for library authors, in the sense that they have all the power to lock versions arbitrarily, but bear none of the pain associated with their decisions - instead, the binary author at the apex of the dependency tree gets that pain. "Authority without responsibility" is the death of many incentive structures.
Questions that arose during reading:
- In the "defining Go modules" section, you say: "Although semantic versions are strongly preferred, referring to specific commits will be supported as well." Then, you specify that such commits order before v0.0.0. To me, this suggests that this feature will be useless, because any non-trivial example will have some semver constraint somewhere in the dependency tree, such that in practice commit-hash versions will always be overridden by minimal version selection. I don't have a solution to this (other than removing support for commit-hash versions), but it seems like it's something to think about
- Modules as zip archives: how do I discover which versions are available? Minimal version selection seems to rely on being able to list the version continuum for a module, so that constraints can be applied. What's the expected way to do that?
- Writing module files sounds like a job for a machine, in cases where I don't care which version gets used. Can `goimports` (or a new sibling tool) be taught to update module definitions based on my code?
With regards to minimum version selection, if I depend on some feature
present, this comes with two implicit dependencies: correctness and
safety. My knee-jerk reaction here is that the time folks spend
"telling the package manager, 'no, use at least Y,'" will largely be
in response to these sorts of issues. Maybe this is seen as "working
as intended;" my feeling is that this will become tiresome for
projects with large dependency chains. Might it be worthwhile (and
automatically possible) to pick the "maximally correct" minimum
version?
test and update not to the latest but some earlier version.May be one can write a tool around or similar to "vgo test" to
For example, if pkg A currently imports C v1.x and B imports C
v1.y, through iterative testing one may find C v1.z that works
for both and update go.mod files for both A & B.
The underlying concern is that with better tooling to manage
versioning, there will also be more versions to manage as
there is less of an incentive to try to make things work with
the latest versions of imported packages. I wondered if there
is a way to encourage/improve the quality/correctness aspect.
One vague idea is to consider specifying tests (in go.mod) to
be run prior to an update. Sort of like asserts in code.
I wondered if there
is a way to encourage/improve the quality/correctness aspect.
One vague idea is to consider specifying tests (in go.mod) to
be run prior to an update. Sort of like asserts in code.
Apart from this concern vgo seems like a huge improvement.
Well done!
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
On Tue, Feb 20, 2018 at 1:55 PM, David Anderson <da...@natulte.net> wrote:I love this. I want it now.go get -u golang.org/x/vgo :-)I've struggled with `glide` and `dep` dependency hell a lot in my Go projects (especially those that use the Kubernetes client library, which abuses "I, the library author, can define byzantine constraints on my users" to the extreme). The way I've described it informally is that traditional "arbitrary version selection" algorithms create the wrong incentive structure for library authors, in the sense that they have all the power to lock versions arbitrarily, but bear none of the pain associated with their decisions - instead, the binary author at the apex of the dependency tree gets that pain. "Authority without responsibility" is the death of many incentive structures.Yes, I'll make that point again in tomorrow's posts elaborating minimal version selection, but I think this is probably the most important algorithmic policy detail. You get total control over your own build. You only get limited control over other people's builds that happen to import your code.
Questions that arose during reading:
- In the "defining Go modules" section, you say: "Although semantic versions are strongly preferred, referring to specific commits will be supported as well." Then, you specify that such commits order before v0.0.0. To me, this suggests that this feature will be useless, because any non-trivial example will have some semver constraint somewhere in the dependency tree, such that in practice commit-hash versions will always be overridden by minimal version selection. I don't have a solution to this (other than removing support for commit-hash versions), but it seems like it's something to think about
That's by design: if v1.2.3 is the latest tagged version and there's some experimental new stuff that you choose to depend on, and then vgo has to decide between those two requirements coming from two different dependencies in a larger build, I want it to pick the tagged one. That said, for builds of your own module, what you'd do is define that you want to replace the current latest (say, v1.2.3) with a different commit. In go.mod you'd say:and then the version selection would transparently drop in commithash as if it were really v1.2.3, so that it would win over v1.2.2, but not v1.2.4. I suppose you could even make up a very large number like v1.9999.0 and then depend on that. But again the replacement only applies to your build, not to other builds using your module.
- Modules as zip archives: how do I discover which versions are available? Minimal version selection seems to rely on being able to list the version continuum for a module, so that constraints can be applied. What's the expected way to do that?
Yes, you have to have a way to list them. I'll write more about that Thursday.
- Writing module files sounds like a job for a machine, in cases where I don't care which version gets used. Can `goimports` (or a new sibling tool) be taught to update module definitions based on my code?
Goimports just needs to put the import in. "vgo build" will see the new import and take care of the rest. It rewrites go.mod for you (and formats it too, of course).
Best,Russ
On Tue, 20 Feb 2018 13:02:47 -0800 David Anderson <da...@natulte.net> wrote:
>
> As a counterpoint to this: with vgo, I plan to make all my binary modules
> specify that they want the latest versions of everything,
The right choice here is not clear (at least to me).
Usually more stable versions are tagged and "released"
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
I love this. I want it now.
I've struggled with `glide` and `dep` dependency hell a lot in my Go projects (especially those that use the Kubernetes client library, which abuses "I, the library author, can define byzantine constraints on my users" to the extreme). The way I've described it informally is that traditional "arbitrary version selection" algorithms create the wrong incentive structure for library authors, in the sense that they have all the power to lock versions arbitrarily, but bear none of the pain associated with their decisions - instead, the binary author at the apex of the dependency tree gets that pain. "Authority without responsibility" is the death of many incentive structures.
The proposed rules around semver and minimal version selection address every pain point I've had so far, by aligning available authority with the responsibility of the library authors: tell me what versions definitely will not work, and I'll take it from there.
Questions that arose during reading:
- In the "defining Go modules" section, you say: "Although semantic versions are strongly preferred, referring to specific commits will be supported as well." Then, you specify that such commits order before v0.0.0. To me, this suggests that this feature will be useless, because any non-trivial example will have some semver constraint somewhere in the dependency tree, such that in practice commit-hash versions will always be overridden by minimal version selection. I don't have a solution to this (other than removing support for commit-hash versions), but it seems like it's something to think about
- One alternative I considered, but discarded, was to order all tags and commits by their date, and run minimal version selection on that. However, this doesn't work because semver tag dates don't grow monotonically - you might have 0.1.2 released after 0.2.0, which leads to confusing behavior to the user - why did 0.2.0 get selected when 0.1.2 was a "better" minimal version?
- Modules as zip archives: how do I discover which versions are available? Minimal version selection seems to rely on being able to list the version continuum for a module, so that constraints can be applied. What's the expected way to do that?
- Writing module files sounds like a job for a machine, in cases where I don't care which version gets used. Can `goimports` (or a new sibling tool) be taught to update module definitions based on my code?
- No GOPATH required: YES! Thank you. I share Zellyn's question on what happens to `go install` in this world. Does it go away? Does it install to some new $GOBINARYINSTALL or somesuch?
Haven't read the vgo tour yet, it may answer some of these. I may be back with more :)- Dave
Since the `vendor` folder is gone, is vgo able to manage and use a kind of `mirror` folder, which would contain the .zip archives of the project dependencies? This folder could be committed with the project source code.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
·Any· change to the exported API of a package except adding new
top-level identifiers can be considered an incompatible (breaking)
change.
https://blog.merovius.de/2015/07/29/backwards-compatibility-in-go.html
Something like
import "foo" v2
would be mildly preferable to me as
import "foo/v2"
can also refer to version 1 of a package named v2 (as opposed
to version 2 of foo) and the current naming rules continue to
work.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
Hi everyone,
I'll try to watch this thread to answer any questions.Best,Russ
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
Reading the latest post, https://research.swtch.com/vgo-mvs , a question...It feels to me like there's a missing 5th operation, in additions to the one you proposed: "upgrade all my direct dependencies to their latest version, but keep using minimal versions below that." I don't believe there is an analog to this operation in the worlds of `go get` or `dep`, but I think it might be an interesting middle-ground. I as the apex module developer want to say "I'd like to use the latest versions of the things I'm programming against, but I don't care about their dependencies – please defer to the library authors's opinions for those."First of all, am I reading correctly that this is not currently one of the options you described? If so, do you think this additional option has merit, compared to "upgrade the entire transitive closure to the absolute newest things" ?
On Wed, Feb 21, 2018 at 11:55 PM David Anderson <da...@natulte.net> wrote:Reading the latest post, https://research.swtch.com/vgo-mvs , a question...It feels to me like there's a missing 5th operation, in additions to the one you proposed: "upgrade all my direct dependencies to their latest version, but keep using minimal versions below that." I don't believe there is an analog to this operation in the worlds of `go get` or `dep`, but I think it might be an interesting middle-ground. I as the apex module developer want to say "I'd like to use the latest versions of the things I'm programming against, but I don't care about their dependencies – please defer to the library authors's opinions for those."First of all, am I reading correctly that this is not currently one of the options you described? If so, do you think this additional option has merit, compared to "upgrade the entire transitive closure to the absolute newest things" ?I think this operation is algorithmically trivial: Just bump the versions in A's list to the newest ones available of each direct dependency. I understand Russ' Article to justify that these operations can be implemented efficient and that thus a trivial operation isn't interesting to mention.
Currently, per the vgo tour, the entire transitive closure gets updated, which, per the article's definition, results in a low-fidelity build... If you assume that the intent of `vgo get -u` was "the libraries I'm calling have new features/fixes, please use them," and not "I want to use the latest possible code the universe can offer me, throughout the stack."
I believe both operations have their place, and I could be convinced either way on which should be the default for "update my stuff." I'm wondering if I'm alone in thinking that "upgrade only direct dependencies, minimal versions elsewhere" is desirable as a "suggested" commandline action.
I'm looking forward to see this in official releases too!Also I would like to:- Have a mechanism for safe dependency packages (as in Safe-Tcl - this implies it would be possible to have meta-data other than versions for packages, too).- This one looks like a minor change in import syntax and might bring in some security concerns: being able to use env-vars in imports: import "$MY_OTHER_PKG".
And the first idea is about having packages that does not harm the environment (like by importing reflect or executing external commands), and seems to be a feasible goal.
On Tue, Feb 20, 2018 at 11:37 AM, Russ Cox <r...@golang.org> wrote:On Tue, Feb 20, 2018 at 1:55 PM, David Anderson <da...@natulte.net> wrote:I love this. I want it now.go get -u golang.org/x/vgo :-)I've struggled with `glide` and `dep` dependency hell a lot in my Go projects (especially those that use the Kubernetes client library, which abuses "I, the library author, can define byzantine constraints on my users" to the extreme). The way I've described it informally is that traditional "arbitrary version selection" algorithms create the wrong incentive structure for library authors, in the sense that they have all the power to lock versions arbitrarily, but bear none of the pain associated with their decisions - instead, the binary author at the apex of the dependency tree gets that pain. "Authority without responsibility" is the death of many incentive structures.Yes, I'll make that point again in tomorrow's posts elaborating minimal version selection, but I think this is probably the most important algorithmic policy detail. You get total control over your own build. You only get limited control over other people's builds that happen to import your code.Big +1. I'm curious about your ideas on how to manage the transition from a glide/dep world to a vgo world. I look forward to reading more about that, assuming you have an article queued to discuss that facet :).
One thought that I hope you'll cover there: immutability. Reading through the vgo tour, it seems to assume that once v5.6.7 has been released, that .zip and its declared dependencies will never change.
I really like this, except for the claim that it the blog post that it
will eliminate vendoring and deprecate GOPATH and the problems that
will cause for backwards compatibility for things that are currently
using them. If this is going to result in removing language features
(ie. vendoring), shouldn't it be in Go2, not Go 1.11?
The other question I have is: where does the module name come from if
you don't have a "// import" comment on the package, since it can't be
filesystem based (because you're explicitly outside of GOPATH..)
Hi everyone,I have a new blog post you might be interested in.I'll try to watch this thread to answer any questions.Best,Russ
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
The date+hash format is irritating to construct by hand, but could be trivially lifted into a tool (perhaps even vgo itself).
The version to use in that replacement was hard to come by. Since vgo was unable to compute the right dependency list without this replacement, it bailed without giving me any version I might use. The date+hash format is irritating to construct by hand, but could be trivially lifted into a tool (perhaps even vgo itself).
Right, that works for clients of the library (and I did manage to get
my projects working with that and it now feels magical) but authors of
modules above v1 are posed with a bit of a quandary as to how to give
their users a nice vgo version without breaking current users on plain
go.
--
You received this message because you are subscribed to a topic in the Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/golang-nuts/jFPz5yZCPcQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to golang-nuts+unsubscribe@googlegroups.com.
Overall, I really like the direction vgo is headed.One thing that seems to be difficult, if not impossible to do (I've yet to figure out how to do so, anyway) is to work with code that has yet to be committed and resides outside of your module. This is a frequent occurrence for me, as I often have to work on groups of changes that interact between multiple repos. Yes, I'll eventually check those changes in, but usually not while actively working on the problem.
Related to this, it took a few minutes to realize that you really can't "downgrade" to a commit-level entry with the tool when a tag is present in the repo -- you have to manually edit it to get the desired behavior. I put downgrade in quotes because what I was actually trying to do was to get the actual latest (HEAD) code, but could not without manually futzing with the go.mod file. This is also something that I frequently need to do -- and I'm relatively sure I'm not alone -- so it seems like the tool should make this easy, not hard.Despite the two problems above, an inability to work with GitHub Enterprise (filed in a bug report), and concern over how IDEs will work with library source, I'm already enjoying working with vgo.- Rich
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
Some forms of attempted versioning don't do well with vgo (:-))
I tried a main named "consumer" that imported "gopkg.in/Shopify/sarama.v1", and got
[davecb@miles consumer]$ vgo buildcan't load package: import cycle not allowedpackage gopkg.in/Shopify/sarama.v1imports gopkg.in/Shopify/sarama.v1import cycle not allowedpackage gopkg.in/Shopify/sarama.v1imports gopkg.in/Shopify/sarama.v1
[davecb@miles consumer]$ cat go.modmodule "gopkg.in/Shopify/sarama.v1"
go.mod
indicating v2, like this:➜ vgo git:(master) ✗ vgo test ./vendor/cmd/go/internal/modfetch/
vgo: import "github.com/serussell/vgo/vendor/cmd/go/internal/modfetch" ->
import "cmd/go/internal/modconv" [/usr/local/go/src/cmd/go/internal/modconv]: open /usr/local/go/src/cmd/go/internal/modconv: no such file or directory
The proposed rules around semver and minimal version selection address every pain point I've had so far, by aligning available authority with the responsibility of the library authors: tell me what versions definitely will not work, and I'll take it from there.
FYI, there is an active CL for this here: https://golang.org/cl/95578