> an email to go-package-management+unsub...@googlegroups.com
> <mailto:go-package-management+unsub...@googlegroups.com>.
Not exactly sure where to incorporate this thought into your document,
so contributing here, rather than suggesting there.
You've missed additional reasons for "central" repositories.
Specifically, the scenarios inside an organization.
* Legal review - companies might wish to limit the use of "third
party" packages to only those in their internal "central"
repository. A central repository enforces a workflow wherein
packages are reviewed by Legal before they can be incorporated into
an "official" release.
* Mirroring - Saying that code is available on the internet may not
help if you work someplace where connectivity to the outside world
is unpredictable, or over a slow connection.
* Development sandbox for less-stable forks, or not-yet-fully-tested
for production libraries. I'm thinking of OS-level package managers
that let one identify other repositories outside of the official
ones for the OS (Gentoo overlays, for example).
"Vendoring" in Go sort-of addresses those use-cases for applications,
but doesn't help at all for libraries, where I think we (almost?) all
agree that vendoring doesn't make sense. Also, vendoring distributes the
problem of legal review, rather than centralizing, which increases the
chances of errors.
Eric
On 7/29/16 9:22 AM, Matt Farina wrote:
> Central repositories, like those for other programming language
> communities, have come up repeatedly. Without giving an opinion on
> what the Go community should do, I wrote up a doc that highlights what
> they do along with how other communities find them to be useful
> <https://docs.google.com/document/d/12FscANpkcznMTMRXqtgbK9JJo0dkT0xbe9IL-nlRbHI/edit#>.
>
>
> Because these docs are being viewed on Hacker News right now I only
> have suggested changes on. When things calm down I'm happy to open it
> up to easier changes. I'll give out edit permissions to folks in the
> interim if needed.
>
> Note, I'm not suggesting what we do. I just want folks to understand
> these since they are used by many other languages right now. Consider
> this more of the R in R&D.
> --
> You received this message because you are subscribed to the Google
> Groups "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to go-package-management+unsub...@googlegroups.com
> <mailto:go-package-management+unsub...@googlegroups.com>.
* Mirroring - Saying that code is available on the internet may not
help if you work someplace where connectivity to the outside world
is unpredictable, or over a slow connection.You can mirror today. There are some projects to help you with it. But, the situation could be better. A central repo doesn't necessarily make this better or worse.
hi,
two quick comments,
* I d love to see a distributed storage engine over bt.... there s enough go users to make it possible, no ? :) Central repository would be kept only to reference the metadatas, provide query, search api and so on, rather than a huge centralized database containing the alpha and omega.... Now i ll agree that because go is mostly used in enterprise, there are poor chances that it happens.
Unless you have some ideas?* Mirroring - Saying that code is available on the internet may not
help if you work someplace where connectivity to the outside world
is unpredictable, or over a slow connection.You can mirror today. There are some projects to help you with it. But, the situation could be better. A central repo doesn't necessarily make this better or worse.
Good thing with central repository is that it will force to publish a package under the form of a tarball.
By then, it will be super easy to apply a sort of cache level at the end user storage system.
And if we could have an of http api between end user <> rest of the world, then it will be even more easier to cache at organization level by using different sources rather than the central repository.
The go tools are using repositories today, which makes this feature way more difficult to implement.
I also like this tarball packaging thing because my packages are holding a lots of side-jobs stuff which are non necessary to someone depending on them. Thus this tarball package would contain only the strict necessary for peer users.
I up vote that idea, i only regret there will be this huge point of failure.
Hi Eric.
I believe that with Go it's not safe to have two copies (even if they are the same version) of a package in the same exe. So such situations need to be resolved to a single copy.
On Monday, August 1, 2016 at 2:42:35 PM UTC-4, John Souvestre wrote:Hi Eric.I believe that with Go it's not safe to have two copies (even if they are the same version) of a package in the same exe. So such situations need to be resolved to a single copy.That's not completely true. You can have multiple copies of a package in different locations. As long as instances are isolated (no outside interaction or instances passed between locations) it will work. You will have binary bloat as each version is in there.It's not wise to do this in most cases but technically possible.
Hello Matt.
Understood. It’s not always unsafe, just sometimes unsafe.
Ø It's not wise to do this in most cases but technically possible.
Yes. Considering the risk, I would only consider doing it under extraordinary circumstances. Thus I would expect to have to manually force such a solution.
John
John Souvestre - New Orleans LA
From: go-package...@googlegroups.com [mailto:go-package...@googlegroups.com] On Behalf Of Matt Farina
Sent: 2016 August 08, Mon 11:35
To: Go Package Management
Subject: Re: [go-pm] A look at central repos
On Monday, August 1, 2016 at 2:42:35 PM UTC-4, John Souvestre wrote:
Hi Ian.
Ø It's not safe because the package may be acquiring resources in package init functions which could conflict with multiple imported copies.
Yes, but this could also be done somewhere else in the package besides the init function. In other words, you aren’t “safe” just because the package in question has no init function.
John
John Souvestre - New Orleans LA
From: go-package...@googlegroups.com [mailto:go-package...@googlegroups.com] On Behalf Of nos...@iandavis.com
Sent: 2016 August 08, Mon 12:26
To: go-package...@googlegroups.com
Subject: Re: [go-pm] A look at central repos
On Mon, Aug 8, 2016, at 05:34 PM, Matt Farina wrote:
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
Hi Ian.
Ø It's not safe because the package may be acquiring resources in package init functions which could conflict with multiple imported copies.
Yes, but this could also be done somewhere else in the package besides the init function. In other words, you aren’t “safe” just because the package in question has no init function.
s/version/copy of the package