What I wanted to address immediately is the lack of strong cryptographic locking.
I love everything about this proposal! 👏
With one small exception
import "github.com/go-yaml/yaml/v2"
I don't think it's necessary to create v2 sub module (or whatever
they're called) to denote the api break if there is an existing v2.y.z
tag. For example I cannot use vgo to build a project that depends on
the correctly semver tagged k8s.io/client-go repo.
% cat go.mod
module "github.com/heptio/contour"
require (
"k8s.io/client-go" v6.0.0
)
% vgo build ./cmd/contour
vgo: errors parsing go.mod:
/Users/dfc/src/github.com/heptio/contour/go.mod:4: invalid module:
k8s.io/client-go should be v1, not v6 (v6.0.0)
I just posted a new post about this topic. research.swtch.com/vgo-import.
There's one perhaps minor point that I'd like to be clarified too - the
decision to standardize around zip files. Not the fact that archives are
used instead of git/hg/etc, but rather the compression format.
--
I agree very much with Dave about littering the repo with major version folders. Why can't this be inferred from tags, branches or releases to take the GitHub example?
--
--
On Wed, Feb 21, 2018 at 4:59 PM, Henrik Johansson <dahan...@gmail.com> wrote:I agree very much with Dave about littering the repo with major version folders. Why can't this be inferred from tags, branches or releases to take the GitHub example?
See my reply to Dave (was typing as your mail came in), but just to reemphasize: you do not have to put v2 code in a v2 directory. You can have a repo that's just v2 at the top level. You just still have to import it with a v2 import path.
One thing to add, which is why I'm writing this mail, is that if you are concerned about backwards compatibility with old "go get", then you can't just update your import paths without also changing the directory structure. That's part of why it's allowed to use a v2 subdir. But if your users are all using other versioning tools, they might all work fine configured to find "my/thing/v2" in github.com/you/mything v2.0.0's root directory.Best,Russ
-j
--
---j
Import path and physical code location (in a repo or on your disk)
were, until now, essentially equal to each other. But that fact was
always carefully caveated as an implementation detail leveraged by the
`go` tool, technically they didn't need to be identical. With `vgo`
they are broken apart in this circumstance.
Why can't (or shouldn't) vgo be able to do this?
require ("github.com/nancy/drew" v2.0.0"github.com/library/books" v1.0.0 {"github.com/nancy/drew" v3.0.0})
This avoids the need to use '/v2' in import paths or for me, as a library author to decide if I need to make '/v2' directories or not. (PS: I'm still not sure when I would need to add or use '/v2', both as a library author or consumer. But I'm still not caught up on your blog posts/writtings. :-( ).
use a repo that has version tags >= 2.0.0 but isn't using the /vNThe big question in my mind is whether I can successfully import and
suffixes in its own source code.
On 21 February 2018 at 22:11, roger peppe <rogp...@gmail.com> wrote:
> The big question in my mind is whether I can successfully import and
> use a repo that has version tags >= 2.0.0 but isn't using the /vN
> suffixes in its own source code.
I've been thinking a bit more about this. Assuming this is a current
hard restriction, this essentially means we can't start using vgo for
any of our tools until all their dependencies with tagged versions >=
2 have updated to use versioned import paths internally. That's
probably not going to happen for a long time.
Another issue is that when a major version changes in a repo, all the
import statements in that repo need to be changed too. Although that
can be automated, the churn is non-trivial (for example, in one
project I work on, there are almost 12000 import statements that would
change).
How about this: when an import path within a repo does not contain an
explicit major version, that version is implied by looking at the
go.mod file for that repo?
Russ, after multiple attempts, I'm still having trouble understanding your last couple of posts here. It seems a bit like you're saying, “You don't need /v2/ in the path; just make sure you put a /v2/ in the path.” Evidently I'm not understanding the terminology enough to see the distinctions between terms.Are you saying that because vgo is downloading zips, you can call something "github.com/foo/bar/v2/" as a module name even though it lives at "github.com/foo/bar"? Or am I missing something?
Hi,For Go 1.11 I am thinking about doing this.
Feedback welcome.:-)Best,Russ
I know that maintaining backward compatibility is a virtue, but it's a
virtue that comes with trade-offs. If there's a fast-moving module
that's imported by hardly anyone, there's a significant penalty to pay
for maintaining backward compatibility (and I'm not talking about
maintaining versioned import paths here). In practice, I believe that
maintainers of fast-moving modules *will* break backwards
compatibility anyway, and that if they need to change all the import
paths every time they do it, they just won't bother maintaining
semantic versions, and we'll be back in the bad old days of everything
being broken all the time.
You're going to lose import path == file system code location no matter what. Your system needs to be able to deal with multiple versions of a given package being available, for different builds. They can't both be in the same place. Also replacements and the like change things.
On Thursday, February 22, 2018 at 7:55:46 PM UTC-5, rsc wrote:You're going to lose import path == file system code location no matter what. Your system needs to be able to deal with multiple versions of a given package being available, for different builds. They can't both be in the same place. Also replacements and the like change things.I'm fine with replacements changing things - that's what they're for.But it would be nice not to break the rule that if you see github.com/zellyn/goapple2/v2 in an import statement, and load that URL in your browser, you can expect to find something there.
That doesn't work today. I can import github.com/zellyn/goapple2/shiny but the same URL is a 404.
But it would be nice not to break the rule that if you see github.com/zellyn/goapple2/v2 in an import statement, and load that URL in your browser, you can expect to find something there.That doesn't work today. I can import github.com/zellyn/goapple2/shiny but the same URL is a 404.
Why not just use Go code throughout? We could extend Go syntax in
a backwards-compatible way to be able to express all the information
contained in the go.mod file. The bulk of the code would continue
to import old-style, "bare", imports, while a single, or perhaps a
small number of Go files would encode the information required for
version management using new-style imports. Perhaps this file, or
files could have standardized names, zmod.go, or whatever (please
don't bikeshed the name).
I will have to play with the API promise and minimal version selection in my head for a bit, in particular around what they will encourage in terms of deprecation and security updates.
Yes. I had a similar thought. If we have some way of cryptographically
verifying version to hash correspondence (via some online equivalent
of go.modverify), then that could also serve as a conduit for signed
security updates.
I can imagine a scheme where if you can prove you control a repo and a
private key (by adding a specifically named branch containing some
signed info, for example), then you'd be able to publish signed
statements to a verifier service to the effect that a given version or
set of versions should be excluded.
Hey Russ, am I understanding things correctly? If you don't specify which version you want to pull in as a dependency, instead of pulling the latest version, it pulls in the latest v1? I can't be reading that correctly. I must be mistaken there. So lets say you pulled in firefox as a dependency (assuming it was a go package). Instead of pulling in firefox 56 (or whatever it is on now), it would pull in firefox 1?, unless you explicitly told it to use firefox 56?
But it would be nice not to break the rule that if you see github.com/zellyn/goapple2/v2 in an import statement, and load that URL in your browser, you can expect to find something there.That doesn't work today. I can import github.com/zellyn/goapple2/shiny but the same URL is a 404.But phrased as a feature request, it’d be nice if vgo could tell you about the upstream/source for a given module—things like where you should contribute changes, file bugs, ask questions. That’d probably mean adding a field to the download protocol, probably free text, since it is meant for humans. For example, for major code hosts, it would probably tell you the repo url, the relevant tag or branch, and the file path within that repo. For commercial offerings perhaps it would provide a support email address.
Speaking of which, out of curiosity, how does vgo play with binary-only packages? Is there a well-defined place in the zip file for them?
However, if I understood correctly from the documents, there are at least three different ways to refer to the same package in vgo:"rsc.io/quote" 1.2.0 // in the go.mod file$ vgo get "rsc.io/qu...@1.2.0" # in the command line$ cd /Users/rsc/src/v/rsc.io/quote(v1.5.2) # source dirI think it would be better to always use the same. For example, I may want to copy the string “rsc.io/qu...@1.2.0” from the go.mod file and paste it in my terminal to run a go get command after increasing the version number, and then change to the corresponding directory to make a quick inspection.
Moreover, there is no reason versioned import paths could not be allowed in go source files. Minimal version selection would do the right thing anyway. But that is another topic...
After reading your posts on the topic, asking a number of (possibly foolish; thanks for your patience) questions, and experimenting a bit with the current prototype, I'm still a bit confused about versioning. A few things about it that stand out to me:
- Package versioning is stored "out of band" in either the Git tags or the zip file name. When fetching a package we no longer have to use Git, but servers or package release software that build zip files will still need to understand it. What happens when I'm using <future VCS>? Does the release build software need to support that too? What if it doesn't support tags?
It seems to me like tags in Git should only be for backwards compatibility with repos that are being imported "go get"-style.
- If we introduce signing of package zips later, the fact that the version is only in the filename means it's not signed (probably) unless we introduce some other sort of "info" file that gets signed with the zip. This isn't a big deal, but it seems like the version could just be somewhere that it gets signed along with the other files in the repo.
- Putting the major version in two places by convention feels very "un-go-like" because it gives me so many different and confusing ways to handle it (it could be in the physical path, it could be only in the module name, it could even be the package name). While I suspect that it only really makes sense to change the module name, this still feels confusing.
The "obvious" thing to me would be to include the version in the mod file and only use tags for backwards compatibility, but I suspect this has been thought of; what would the downside be to doing something like this, for example:
module "example.com/mypackage" v2.5.0
Instead of putting the major version in the path name and in git, if it is in the mod file we can show it in errors ("v2 oauth.Token is not of type v3 oauth.Token" or similar),
and we don't need to set the version in two places, the mod file becomes the only source of truth (though of course, if we want to set it in Git we still can).
Thanks, all of those points make sense and cleared up some of my confusion, with one exception:
On Mon, Feb 26, 2018, at 12:36, Russ Cox wrote:
> Personally, I am comfortable assuming that any future VCS will also have
> that kind of functionality in some form.
That assumption seems fair.
Does this mean that whatever release tool or server we come up with still has to support all current VCS' and possibly future ones to know how to create zip files though?
An explicit goal for Go from the beginning was to be able to build Go code using only the information found in the source itself, not needing to write a makefile or one of the many modern replacements for makefiles. If Go needed a configuration file to explain how to build your program, then Go would have failed.
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+unsubscribe@googlegroups.com.