How up to date are dependencies and how up to date do they need to be
96 views
Skip to first unread message
Matt Farina
Aug 24, 2016, 5:08:44 PM8/24/16
to Go Package Management
Ever since I used David, for nodejs projects I've worked on, and the Drupal Update manager, for the popular CMS, I've had a healthy respect and interest in tracking the state of the dependencies in use. If there are security releases, bug fixes, and so forth.
I'm not aware of much in the Go space but I believe this does play into any conversations on dependency management. Management it's just fetching but lifecycle management.
Playing around with the idea I wrote Glide Report. It's not like the others, partly because the data isn't available and partly because this is just a quick initial commit.
If you want to see what it generates see the Kubernetes and runC reports.
My 2 cents, when we consider dependency management it's worth keeping things like this in mind. Not to necessarily go build but that should be part of the ecosystem.
Any thoughts? Any examples from other languages?
Jessica Frazelle
Aug 24, 2016, 5:17:17 PM8/24/16
to Matt Farina, Go Package Management
ah whattt runc is still importing docker/docker I thought we fixed that
*shakes fist at cloud*
> --
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-manag...@googlegroups.com.
> To post to this group, send email to go-package...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
*shakes fist at cloud*
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-manag...@googlegroups.com.
> To post to this group, send email to go-package...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3
pgp.mit.edu
Bradley Falzon
Aug 24, 2016, 6:33:23 PM8/24/16
to Matt Farina, Go Package Management
I want to +1 being able to alert/track (in someway) on security
related releases. Organisations like ours (managed services) prefer
systems that can track security updates separately from bug fixes
(similar to system package managers can highlight CVEs, and other
language package managers can highlight pending security updates in
modules/plugins) and would love to see that point being considered.
br...@teambrad.net
related releases. Organisations like ours (managed services) prefer
systems that can track security updates separately from bug fixes
(similar to system package managers can highlight CVEs, and other
language package managers can highlight pending security updates in
modules/plugins) and would love to see that point being considered.
> --
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-manag...@googlegroups.com.
> To post to this group, send email to go-package...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Bradley Falzon
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-manag...@googlegroups.com.
> To post to this group, send email to go-package...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
br...@teambrad.net
Thomas Boerger
Aug 25, 2016, 3:29:06 AM8/25/16
to go-package...@googlegroups.com
Hi
On 08/24/2016 11:08 PM, Matt Farina wrote:
> Ever since I used David <https://david-dm.org/>, for nodejs projects
> and runC
> <https://gist.github.com/mattfarina/d9e4bfed106af3ea8cf7f0e80a34d196>
> reports.
That's a really interesting tool! Sad that it's only for glide and not
for other dependency managers.
> My 2 cents, when we consider dependency management it's worth keeping
> things like this in mind. Not to necessarily go build but that should be
> part of the ecosystem.
>
> Any thoughts? Any examples from other languages?
While I did Ruby development I used Gemnasium <https://gemnasium.com> to
track outdated dependencies. Another way have been the command `bundle
outdated` <http://bundler.io/v1.1/bundle_outdated.html>.
Best,
Thomas Boerger
--
Thomas Boerger <tboe...@suse.de>
Docker Developer
SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg
Tel: +49-911-74053-0; Fax: +49-911-7417755; https://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
On 08/24/2016 11:08 PM, Matt Farina wrote:
> Ever since I used David <https://david-dm.org/>, for nodejs projects
> I've worked on, and the Drupal Update manager
> <https://www.drupal.org/documentation/modules/update>, for the popular
> CMS, I've had a healthy respect and interest in tracking the state of
> the dependencies in use. If there are security releases, bug fixes, and
> so forth.
>
> I'm not aware of much in the Go space but I believe this does play into
> any conversations on dependency management. Management it's just
> fetching but lifecycle management.
>
> Playing around with the idea I wrote Glide Report
> <https://github.com/Masterminds/glide-report>. It's not like the others,
> the dependencies in use. If there are security releases, bug fixes, and
> so forth.
>
> I'm not aware of much in the Go space but I believe this does play into
> any conversations on dependency management. Management it's just
> fetching but lifecycle management.
>
> Playing around with the idea I wrote Glide Report
> partly because the data isn't available and partly because this is just
> a quick initial commit.
>
> If you want to see what it generates see the Kubernetes
> <https://gist.github.com/mattfarina/fcba945cfd9efc49c284c202d7dfab92>
> a quick initial commit.
>
> If you want to see what it generates see the Kubernetes
> and runC
> <https://gist.github.com/mattfarina/d9e4bfed106af3ea8cf7f0e80a34d196>
> reports.
That's a really interesting tool! Sad that it's only for glide and not
for other dependency managers.
> My 2 cents, when we consider dependency management it's worth keeping
> things like this in mind. Not to necessarily go build but that should be
> part of the ecosystem.
>
> Any thoughts? Any examples from other languages?
track outdated dependencies. Another way have been the command `bundle
outdated` <http://bundler.io/v1.1/bundle_outdated.html>.
Best,
Thomas Boerger
--
Thomas Boerger <tboe...@suse.de>
Docker Developer
SUSE Linux GmbH, Maxfeldstr. 5, D-90409 Nürnberg
Tel: +49-911-74053-0; Fax: +49-911-7417755; https://www.suse.com/
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
Chris Hines
Aug 25, 2016, 10:20:56 AM8/25/16
to Go Package Management
On Wednesday, August 24, 2016 at 5:08:44 PM UTC-4, Matt Farina wrote:
Ever since I used David, for nodejs projects I've worked on, and the Drupal Update manager, for the popular CMS, I've had a healthy respect and interest in tracking the state of the dependencies in use. If there are security releases, bug fixes, and so forth.I'm not aware of much in the Go space but I believe this does play into any conversations on dependency management. Management it's just fetching but lifecycle management.
Absolutely agree that lifecycle management is important. Other tools I've seen that help with this to varying degrees:
Reply all
Reply to author
Forward
0 new messages