Libraries must not vendor code.
What's a library? You're code is, if some other project imports it.
Libraries must not vendor code.
What's a library? You're code is, if some other project imports it.
What this achieves is it puts a package at /pkg/foo which is importable from the outside world which doesn't pull in any vendor'd packages.
On 1 April 2016 at 10:01, Dave Cheney <da...@cheney.net> wrote:Libraries must not vendor code.
What's a library? You're code is, if some other project imports it.Some open questions:(Let's say I have something intended to be used as both a library and a program :)
Is it OK to have a library /pkg/foo and a program /cmd/foo in the same repository? (My intuitive guess: a reasonable thing to want?)
Is /cmd/foo allowed to vendor /pkg/foo's dependencies? (yes)
Must that program also vendor that /pkg/foo? (seems like it might be required if you want to use vendoring in /cmd/foo)
Can you suggest a directory structure? (seems like you need a copy of /pkg/foo in the repository, which lives under /cmd/vendor or /cmd/foo/vendor)Something like:/cmd/foo/cmd/vendor/pkg/foo/cmd/vendor/foo-dependency/pkg/fooThe copy at /cmd/vendor/pkg/foo (or /pkg/foo depending on your perspective) is unfortunate, but I don't currently see another way. I'd love for there to be one :)
What this achieves is it puts a package at /pkg/foo which is importable from the outside world which doesn't pull in any vendor'd packages.
Don't do that, you're making it to hard on yourself. If it's a library; designed to be imported by _other_ repositories, put it in it's own repo. If it's a library that is part of the final application (what gb calls a project), then don't split it into it's own repo, that's just making it harder than it needs to be.
On Friday, 1 April 2016 20:18:11 UTC+11, Peter Waller wrote:Something like:/cmd/foo/cmd/vendor/pkg/foo/cmd/vendor/foo-dependency/pkg/fooThe copy at /cmd/vendor/pkg/foo (or /pkg/foo depending on your perspective) is unfortunate, but I don't currently see another way. I'd love for there to be one :)That's too complicated IMO, vendoring is per repo (per project)
On 1 April 2016 at 11:15, Dave Cheney <da...@cheney.net> wrote:Don't do that, you're making it to hard on yourself. If it's a library; designed to be imported by _other_ repositories, put it in it's own repo. If it's a library that is part of the final application (what gb calls a project), then don't split it into it's own repo, that's just making it harder than it needs to be.The problem isn't that I do that - in itself - but that there are packages in the wild that do this that I may want to import.I'm willing to change my behaviour where I become aware that is it wrong.On the other hand, I don't see what's wrong with having both a library and a main function in one package. I mean, etcd does it, right? Are they doing it wrong? If so, please tell them for me :)
I write much of my code so that main() is really a tiny program which just calls a library. Are you saying this has to live in its own repository, or am I misunderstanding?
If the library has many consumers then you should not also place vendored code in that repository -- otherwise consumers of your library will find themselves in the same position as Peter Bourgon has found himself.
Does that mean if your code is a library (you want others to import it)
you cannot have within it a test suite which requires vendored code?
If so, that's a bit unfortunate for interoperability tests.
On 1 April 2016 at 10:01, Dave Cheney <da...@cheney.net> wrote:Libraries must not vendor code.
What's a library? You're code is, if some other project imports it.Some open questions:(Let's say I have something intended to be used as both a library and a program :)
2016-04-01 12:51 GMT+02:00 Alex Bligh <al...@alex.org.uk>:
>
> On 1 Apr 2016, at 10:01, Dave Cheney <da...@cheney.net> wrote:
>
>> I think it could be more succinctly expressed as:
>>
>> Libraries must not vendor code.
>>
>> What's a library? You're code is, if some other project imports it.
>
> Does that mean if your code is a library (you want others to import it)
> you cannot have within it a test suite which requires vendored code?
> If so, that's a bit unfortunate for interoperability tests.
As I understand it, vendored dependencies themselves are not the
problem here, but *exposing* them such as returning or taking as
arguments types from them. So vendoring x/net/context and having
methods accept a context.Ctx from the outside is a no-no. But a
vendored dependency for tests, or internal use only, or as a
dependency to some cmd/* package in the same repo ought to be
acceptable.
I don't think this changes anything for the base rule of "libraries
should not vendor" - that still holds.
//jb
My suggestion above may not be absolute, i'm sure with scrupulous attention to detail by a very dedicate development team, backed by tooling which hasn't been developed yet, it could be made to work. But it seems simpler, and far more explainable, to adopt a "only main packages vendor" maxim.
That sounds utterly miserable. Both you, the library author, and the other you, the library consumer are walking on eggshells; one is petrified of accidentally leaking -- I don't think that concept is well understood -- it's never been a think that Go developers have had to worry about because there was only every one type for a given import path before -- and the other is petrified of being passed a type which will could fail an equality check when code is refactored, or a dependency updated.My suggestion above may not be absolute, i'm sure with scrupulous attention to detail by a very dedicate development team, backed by tooling which hasn't been developed yet, it could be made to work. But it seems simpler, and far more explainable, to adopt a "only main packages vendor" maxim.
Wrt to what gb does, if you follow the ideas of "rolling up" dependencies, you eventually end up at something that looks very similar to what gb does, dependencies are specified by the project, the final code that links a binary.
It does help you, as a library author, if you're willing to use tooling - which does not *require* that your users rely on that tooling (though they could get additional benefit if they do). the only restriction is that you can't commit the resulting vendor dir.
On Fri, Apr 1, 2016, at 12:32 PM, Sam Boyer wrote:It does help you, as a library author, if you're willing to use tooling - which does not *require* that your users rely on that tooling (though they could get additional benefit if they do). the only restriction is that you can't commit the resulting vendor dir.I'm wondering what the best approach is for this scenario: as a library author I want to commit my dependencies so I can reliably reconstruct a workable version of the library at any commit for bug triage.
I want that to work even if my dependencies rewrite history in their own repositories.
A secondary convenience of committing dependencies is that there is zero effort for me (or others) to start working on a library even if my local development environment has changed.
Nope, I don't think so.
I'm pretty sure that the only way the vendor experiment can be used _without_ extra tooling is by library writers forgoing it.
Wrt to what gb does, if you follow the ideas of "rolling up" dependencies, you eventually end up at something that looks very similar to what gb does, dependencies are specified by the project, the final code that links a binary.
The conclusion of this thread is both a sad one and inaccurate. Checking in the vendor folder is viral, but not bad. If a dep you use checks in souce in the vendor folder then you need to as well. I recommend a good tool to help such as govendor.
This consequence is the same as if you used import path rewriting under the internal folder.
It is not viral to include a vendor metadata file specifying versions and revisions.
Hi Zellyn,
If you didn't understand wtf2 is not how you use the vendor folder when it was introduced months ago, you never took the time to understand it in the first place.
A package won't build if you have two different dep packages that looks the same but you try to use them as the same package. If this is how you want to use the vendor folder, why didn't you try it back when go1.5 was released?
I support the vendor folder because it does indeed work for projects and it is standard, not because you can't break it in some way.