Hi Ross,If everyone was already using dep, I'd personally prefer to see only a single version of the oauth package used in a given project without conversion functions and what-not. A release-branch.oauth1.0 could be maintained for backporting fixes for users still locked to version 1, but master would be the latest and greatest. Yes, that does mean all intermediate dependencies would need to upgrade to provide compatibility with v2, and be versioned themselves. Code would need to be written and pull requests opened, but in my mind that is a good thing. Everyone contributes and the ecosystem moves on.In reality, dep is still very new, and it's hard to even say if gophers are all using the vendor folder (one would hope). Introducing breaking changes on master would be unfortunate for anyone using the go get mechanism. So for now, my suggestion would be to fall back on the past approaches.
On Thu, May 18, 2017 at 12:48 PM, Nathan Youngman <he...@nathany.com> wrote:Yes, that does mean all intermediate dependencies would need to upgrade to provide compatibility with v2, and be versioned themselves.
you need to have a major version rev to every library that depends on foo
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
I think a new repository with a different path is the way to go.It's effectively a new package.Andrew
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To feed the point that we need multiple versions in a binary, here is an example:Let's use this oauth2 pkg as an example. The old API is crusty, awful and broken. So as an application author, I want to move my code to use v2 of oauth2.Many of my dependencies also use oauth2. Thus, I have to wait for each of my dependencies' authors to get up off their asses, make the change to incorporate oauth2 v2, and tag a new minor release before I can even think about moving my own code to oauth2.So logically/mathematically, yes I agree, we should be able to have a single version of any given pkg in a binary.But practically, OSS maintainers are strapped for time. Some of them are going to be very slow to update. Even if users send PRs for all of these changes (which most won't), maintainers still have to merge.This set of slow package maintainers, however small, will hold everyone else back.Steve Francia recently did a survey. There was a question around this - whether or not folks would like to have multiple versions of their pkg in a binary. Perhaps you've seen it already? The majority of responders wanted multiple versions in a single binary. I can dig it up if you haven't seen it.So even if you disagree with my example, there is no denying that users want multiple versions of a package in a binary. If dep won't help them do it, they will work *around* dep as it is designed today, not with it.If the only way for a packages to co-exist with other versions of itself is to create a new pkg, then this will become the new idiom for a major release in Go.I think that we can provide a better user experience than this.- Sarah
On Thu, May 18, 2017 at 2:10 PM, Andrew Gerrand <a...@google.com> wrote:
I think a new repository with a different path is the way to go.It's effectively a new package.Andrew
On 19 May 2017 at 05:14, 'Ross Light' via Go Package Management <go-package...@googlegroups.com> wrote:
Hi Package Management Working Group,Jaana and I have been contemplating releasing a major version 2 to golang.org/x/oauth2. It has many mistakes in its public API, to the point where maintaining two separate versions is acceptable to both of us. We'd like to hear your thoughts on how the proposed dep tool can handle this, or whether its design should be amended to assist in this case.To give background, the oauth2 package is a quite widely used package throughout the Go ecosystem. In particular, one of its types is particularly pervasive in exported APIs: oauth2.TokenSource. It looks like this:type TokenSource interface {Token() (*Token, error)}For various reasons, we'd like to change the API in a trivial but backward incompatible way (simplifying a bit):type TokenSource interface {Token(context.Context) (*Token, error)}Understandably, we do not want to mandate that every package that depends on oauth2 to make this conversion immediately. So in the meantime, we'd like to allow binaries to have both types of TokenSource available. The package does not have global mutable state concerns. And we've structured the new API such that converting between these types can be written as functions:func TokenSourceToV2(TokenSource) v2.TokenSourcefunc TokenSourceFromV2(v2.TokenSource) TokenSourceNow comes our problem: where do we put this new v2? of which I see three options: 1) a subdirectory of the existing repository 2) a new branch or 3) a new repositoryPlacing v2 in a subdirectory seems not ideal since the SemVer tags on the repo would also include the v2 directory, so they would be somewhat meaningless. I'm not going to explore this option in any great depth.Placing v2 on a new branch and creating a new SemVer tag seems to be the preferred option for the dep tool. However, IIUC both packages would have the same import path, so only one would be allowed in an application. This would be an exceedingly frustrating experience for all users of oauth2, because an application is now stuck in all-or-nothing scenario. The application would have to ask all of their dependencies to either upgrade or downgrade their dependency on oauth2 to v1 or v2. AFAICT, there would be no way to write the two conversion functions above, since only one version of a particular repository is allowed at one time. This is unfortunate, because we as library maintainers would be happy to provide utility code to allow the two to peacefully coexist.So let's examine the new repository option. (For most purposes, this is identical to the gopkg.in approach.) This would allow us as library maintainers to have v1 and v2 coexist, and add utility functions in a new minor version of v1 that can up-convert to v2. This way, an application can gradually upgrade their v1 and v2 usage without requiring other dependencies to be rewritten to use v2. However, what the library maintainer loses in this approach is that they have to push a new URL to developers learning about the package. (This is what I've done for go-capnproto vs go-capnproto2, for instance.) It feels a bit clumsy, since branches ought to be able to solve this. However, this is an approach that works today, even in the current `go get` model.I think this is an important use case for the dep tool, and I want to make sure the oauth2 package is setting the right precedent here. If I were to ask for a feature, it would be for major semantic versions to be treated as wholly separate packages. Along with type aliases, this would allow library maintainers to assist their users in gradually moving from one major semantic version to another.Thanks,-Ross
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To feed the point that we need multiple versions in a binary, here is an example:Let's use this oauth2 pkg as an example. The old API is crusty, awful and broken. So as an application author, I want to move my code to use v2 of oauth2.Many of my dependencies also use oauth2. Thus, I have to wait for each of my dependencies' authors to get up off their asses, make the change to incorporate oauth2 v2, and tag a new minor release before I can even think about moving my own code to oauth2.So logically/mathematically, yes I agree, we should be able to have a single version of any given pkg in a binary.But practically, OSS maintainers are strapped for time. Some of them are going to be very slow to update. Even if users send PRs for all of these changes (which most won't), maintainers still have to merge.This set of slow package maintainers, however small, will hold everyone else back.Steve Francia recently did a survey. There was a question around this - whether or not folks would like to have multiple versions of their pkg in a binary. Perhaps you've seen it already? The majority of responders wanted multiple versions in a single binary. I can dig it up if you haven't seen it.So even if you disagree with my example, there is no denying that users want multiple versions of a package in a binary. If dep won't help them do it, they will work *around* dep as it is designed today, not with it.If the only way for a packages to co-exist with other versions of itself is to create a new pkg, then this will become the new idiom for a major release in Go.I think that we can provide a better user experience than this.- Sarah
On Thu, May 18, 2017 at 2:10 PM, Andrew Gerrand <a...@google.com> wrote:
I think a new repository with a different path is the way to go.It's effectively a new package.Andrew
On 19 May 2017 at 05:14, 'Ross Light' via Go Package Management <go-package...@googlegroups.com> wrote:
Hi Package Management Working Group,Jaana and I have been contemplating releasing a major version 2 to golang.org/x/oauth2. It has many mistakes in its public API, to the point where maintaining two separate versions is acceptable to both of us. We'd like to hear your thoughts on how the proposed dep tool can handle this, or whether its design should be amended to assist in this case.To give background, the oauth2 package is a quite widely used package throughout the Go ecosystem. In particular, one of its types is particularly pervasive in exported APIs: oauth2.TokenSource. It looks like this:type TokenSource interface {Token() (*Token, error)}For various reasons, we'd like to change the API in a trivial but backward incompatible way (simplifying a bit):type TokenSource interface {Token(context.Context) (*Token, error)}Understandably, we do not want to mandate that every package that depends on oauth2 to make this conversion immediately. So in the meantime, we'd like to allow binaries to have both types of TokenSource available. The package does not have global mutable state concerns. And we've structured the new API such that converting between these types can be written as functions:func TokenSourceToV2(TokenSource) v2.TokenSourcefunc TokenSourceFromV2(v2.TokenSource) TokenSourceNow comes our problem: where do we put this new v2? of which I see three options: 1) a subdirectory of the existing repository 2) a new branch or 3) a new repositoryPlacing v2 in a subdirectory seems not ideal since the SemVer tags on the repo would also include the v2 directory, so they would be somewhat meaningless. I'm not going to explore this option in any great depth.Placing v2 on a new branch and creating a new SemVer tag seems to be the preferred option for the dep tool. However, IIUC both packages would have the same import path, so only one would be allowed in an application. This would be an exceedingly frustrating experience for all users of oauth2, because an application is now stuck in all-or-nothing scenario. The application would have to ask all of their dependencies to either upgrade or downgrade their dependency on oauth2 to v1 or v2. AFAICT, there would be no way to write the two conversion functions above, since only one version of a particular repository is allowed at one time. This is unfortunate, because we as library maintainers would be happy to provide utility code to allow the two to peacefully coexist.So let's examine the new repository option. (For most purposes, this is identical to the gopkg.in approach.) This would allow us as library maintainers to have v1 and v2 coexist, and add utility functions in a new minor version of v1 that can up-convert to v2. This way, an application can gradually upgrade their v1 and v2 usage without requiring other dependencies to be rewritten to use v2. However, what the library maintainer loses in this approach is that they have to push a new URL to developers learning about the package. (This is what I've done for go-capnproto vs go-capnproto2, for instance.) It feels a bit clumsy, since branches ought to be able to solve this. However, this is an approach that works today, even in the current `go get` model.I think this is an important use case for the dep tool, and I want to make sure the oauth2 package is setting the right precedent here. If I were to ask for a feature, it would be for major semantic versions to be treated as wholly separate packages. Along with type aliases, this would allow library maintainers to assist their users in gradually moving from one major semantic version to another.Thanks,-Ross
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
I'd be keen to see those results. I'm concerned that people who said "yes, I want [to allow] multiple copies of a package in my binary" do not understand what they are asking for, or are applying an interpretation for how they think it might work in Go based on prior experience with a language with a different linking model.
On Fri, 19 May 2017, 08:34 'Sarah Adams' via Go Package Management <go-package-management@googlegroups.com> wrote:
To feed the point that we need multiple versions in a binary, here is an example:Let's use this oauth2 pkg as an example. The old API is crusty, awful and broken. So as an application author, I want to move my code to use v2 of oauth2.Many of my dependencies also use oauth2. Thus, I have to wait for each of my dependencies' authors to get up off their asses, make the change to incorporate oauth2 v2, and tag a new minor release before I can even think about moving my own code to oauth2.So logically/mathematically, yes I agree, we should be able to have a single version of any given pkg in a binary.But practically, OSS maintainers are strapped for time. Some of them are going to be very slow to update. Even if users send PRs for all of these changes (which most won't), maintainers still have to merge.This set of slow package maintainers, however small, will hold everyone else back.Steve Francia recently did a survey. There was a question around this - whether or not folks would like to have multiple versions of their pkg in a binary. Perhaps you've seen it already? The majority of responders wanted multiple versions in a single binary. I can dig it up if you haven't seen it.So even if you disagree with my example, there is no denying that users want multiple versions of a package in a binary. If dep won't help them do it, they will work *around* dep as it is designed today, not with it.If the only way for a packages to co-exist with other versions of itself is to create a new pkg, then this will become the new idiom for a major release in Go.I think that we can provide a better user experience than this.- Sarah
On Thu, May 18, 2017 at 2:10 PM, Andrew Gerrand <a...@google.com> wrote:
I think a new repository with a different path is the way to go.It's effectively a new package.Andrew
On 19 May 2017 at 05:14, 'Ross Light' via Go Package Management <go-package-management@googlegroups.com> wrote:
Hi Package Management Working Group,Jaana and I have been contemplating releasing a major version 2 to golang.org/x/oauth2. It has many mistakes in its public API, to the point where maintaining two separate versions is acceptable to both of us. We'd like to hear your thoughts on how the proposed dep tool can handle this, or whether its design should be amended to assist in this case.To give background, the oauth2 package is a quite widely used package throughout the Go ecosystem. In particular, one of its types is particularly pervasive in exported APIs: oauth2.TokenSource. It looks like this:type TokenSource interface {Token() (*Token, error)}For various reasons, we'd like to change the API in a trivial but backward incompatible way (simplifying a bit):type TokenSource interface {Token(context.Context) (*Token, error)}Understandably, we do not want to mandate that every package that depends on oauth2 to make this conversion immediately. So in the meantime, we'd like to allow binaries to have both types of TokenSource available. The package does not have global mutable state concerns. And we've structured the new API such that converting between these types can be written as functions:func TokenSourceToV2(TokenSource) v2.TokenSourcefunc TokenSourceFromV2(v2.TokenSource) TokenSourceNow comes our problem: where do we put this new v2? of which I see three options: 1) a subdirectory of the existing repository 2) a new branch or 3) a new repositoryPlacing v2 in a subdirectory seems not ideal since the SemVer tags on the repo would also include the v2 directory, so they would be somewhat meaningless. I'm not going to explore this option in any great depth.Placing v2 on a new branch and creating a new SemVer tag seems to be the preferred option for the dep tool. However, IIUC both packages would have the same import path, so only one would be allowed in an application. This would be an exceedingly frustrating experience for all users of oauth2, because an application is now stuck in all-or-nothing scenario. The application would have to ask all of their dependencies to either upgrade or downgrade their dependency on oauth2 to v1 or v2. AFAICT, there would be no way to write the two conversion functions above, since only one version of a particular repository is allowed at one time. This is unfortunate, because we as library maintainers would be happy to provide utility code to allow the two to peacefully coexist.So let's examine the new repository option. (For most purposes, this is identical to the gopkg.in approach.) This would allow us as library maintainers to have v1 and v2 coexist, and add utility functions in a new minor version of v1 that can up-convert to v2. This way, an application can gradually upgrade their v1 and v2 usage without requiring other dependencies to be rewritten to use v2. However, what the library maintainer loses in this approach is that they have to push a new URL to developers learning about the package. (This is what I've done for go-capnproto vs go-capnproto2, for instance.) It feels a bit clumsy, since branches ought to be able to solve this. However, this is an approach that works today, even in the current `go get` model.I think this is an important use case for the dep tool, and I want to make sure the oauth2 package is setting the right precedent here. If I were to ask for a feature, it would be for major semantic versions to be treated as wholly separate packages. Along with type aliases, this would allow library maintainers to assist their users in gradually moving from one major semantic version to another.Thanks,-Ross
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
The survey was clear and so were the results. People would rather have things just work. The vast majority preferred including two different versions of a package over having to resolve conflicts.
While they are effectively two different packages as Andrew said, there are significant reasons to not make them separate repos. A short list would include: retaining history, not having to recreate all of the maintainers and permissions, retaining popularity, not supporting the old version indefinitely, wanting people to only adopt the newest one, minimizing version confusion. I'm sure there are many many more.
I'm stuck on a train but I can post the survey results tomorrow.
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
Note, you obviously can have multiple packages per repo, although I agree with the ideology of having multiple versions per binary, oauth2 package could also have a oauth2/v2 package (for lack of a better name) in the same repository.
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Bradley Falzon
br...@teambrad.net
I'd be keen to see those results. I'm concerned that people who said "yes, I want [to allow] multiple copies of a package in my binary" do not understand what they are asking for, or are applying an interpretation for how they think it might work in Go based on prior experience with a language with a different linking model.
On Fri, 19 May 2017, 08:34 'Sarah Adams' via Go Package Management <go-package-management@googlegroups.com> wrote:
To feed the point that we need multiple versions in a binary, here is an example:Let's use this oauth2 pkg as an example. The old API is crusty, awful and broken. So as an application author, I want to move my code to use v2 of oauth2.Many of my dependencies also use oauth2. Thus, I have to wait for each of my dependencies' authors to get up off their asses, make the change to incorporate oauth2 v2, and tag a new minor release before I can even think about moving my own code to oauth2.So logically/mathematically, yes I agree, we should be able to have a single version of any given pkg in a binary.But practically, OSS maintainers are strapped for time. Some of them are going to be very slow to update. Even if users send PRs for all of these changes (which most won't), maintainers still have to merge.This set of slow package maintainers, however small, will hold everyone else back.Steve Francia recently did a survey. There was a question around this - whether or not folks would like to have multiple versions of their pkg in a binary. Perhaps you've seen it already? The majority of responders wanted multiple versions in a single binary. I can dig it up if you haven't seen it.So even if you disagree with my example, there is no denying that users want multiple versions of a package in a binary. If dep won't help them do it, they will work *around* dep as it is designed today, not with it.If the only way for a packages to co-exist with other versions of itself is to create a new pkg, then this will become the new idiom for a major release in Go.I think that we can provide a better user experience than this.- Sarah
On Thu, May 18, 2017 at 2:10 PM, Andrew Gerrand <a...@google.com> wrote:
I think a new repository with a different path is the way to go.It's effectively a new package.Andrew
On 19 May 2017 at 05:14, 'Ross Light' via Go Package Management <go-package-management@googlegroups.com> wrote:
Hi Package Management Working Group,Jaana and I have been contemplating releasing a major version 2 to golang.org/x/oauth2. It has many mistakes in its public API, to the point where maintaining two separate versions is acceptable to both of us. We'd like to hear your thoughts on how the proposed dep tool can handle this, or whether its design should be amended to assist in this case.To give background, the oauth2 package is a quite widely used package throughout the Go ecosystem. In particular, one of its types is particularly pervasive in exported APIs: oauth2.TokenSource. It looks like this:type TokenSource interface {Token() (*Token, error)}For various reasons, we'd like to change the API in a trivial but backward incompatible way (simplifying a bit):type TokenSource interface {Token(context.Context) (*Token, error)}Understandably, we do not want to mandate that every package that depends on oauth2 to make this conversion immediately. So in the meantime, we'd like to allow binaries to have both types of TokenSource available. The package does not have global mutable state concerns. And we've structured the new API such that converting between these types can be written as functions:func TokenSourceToV2(TokenSource) v2.TokenSourcefunc TokenSourceFromV2(v2.TokenSource) TokenSourceNow comes our problem: where do we put this new v2? of which I see three options: 1) a subdirectory of the existing repository 2) a new branch or 3) a new repositoryPlacing v2 in a subdirectory seems not ideal since the SemVer tags on the repo would also include the v2 directory, so they would be somewhat meaningless. I'm not going to explore this option in any great depth.Placing v2 on a new branch and creating a new SemVer tag seems to be the preferred option for the dep tool. However, IIUC both packages would have the same import path, so only one would be allowed in an application. This would be an exceedingly frustrating experience for all users of oauth2, because an application is now stuck in all-or-nothing scenario. The application would have to ask all of their dependencies to either upgrade or downgrade their dependency on oauth2 to v1 or v2. AFAICT, there would be no way to write the two conversion functions above, since only one version of a particular repository is allowed at one time. This is unfortunate, because we as library maintainers would be happy to provide utility code to allow the two to peacefully coexist.So let's examine the new repository option. (For most purposes, this is identical to the gopkg.in approach.) This would allow us as library maintainers to have v1 and v2 coexist, and add utility functions in a new minor version of v1 that can up-convert to v2. This way, an application can gradually upgrade their v1 and v2 usage without requiring other dependencies to be rewritten to use v2. However, what the library maintainer loses in this approach is that they have to push a new URL to developers learning about the package. (This is what I've done for go-capnproto vs go-capnproto2, for instance.) It feels a bit clumsy, since branches ought to be able to solve this. However, this is an approach that works today, even in the current `go get` model.I think this is an important use case for the dep tool, and I want to make sure the oauth2 package is setting the right precedent here. If I were to ask for a feature, it would be for major semantic versions to be treated as wholly separate packages. Along with type aliases, this would allow library maintainers to assist their users in gradually moving from one major semantic version to another.Thanks,-Ross
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
- Multiple packages. At scale, I think allowing v1 and v2 of a single package to be linked into the final binary is unavoidable. It's also not possible to express in the "top-level vendor directory" model. Another reason to eliminate the "translate lock file to vendor directory" step.
Sorry - ultimately you'll have to create a separate repository, OR move them into a new package within the existing project. Point is, this has to be accomplished at the namespace level, not the version level :D
I don't see why it should be in the same repository.
While they are effectively two different packages as Andrew said, there are significant reasons to not make them separate repos. A short list would include: retaining history, not having to recreate all of the maintainers and permissions, retaining popularity, not supporting the old version indefinitely, wanting people to only adopt the newest one, minimizing version confusion. I'm sure there are many many more.
In fact, it seems strictly worse to put the new package in the same repository.It just creates more potential versioning issues down the road.
If they're separate they should be separate.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
retaining history
not having to recreate all of the maintainers and permissions, retaining popularity
not supporting the old version indefinitely
wanting people to only adopt the newest one
minimizing version confusion.
To add one more, when creating an issue which affects multiple versions (a bug or feature), the issue may need to be duplicated, and the PR/commit may be more difficult to manage as well (duplication).
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
Apologies for this style of nitpicky reply, but I feel it is necessary to be clear on each of these points.On 19 May 2017 at 11:36, Bradley Falzon <br...@teambrad.net> wrote:retaining history
The history is still there in the old repository. Or if you really care, start the new repository by cloning the old one and committing a change that deletes all the old files. But if the new package is really a new package, why does the history matter?not having to recreate all of the maintainers and permissions, retaining popularity
Neither of these seem like relevant concerns for the oauth2 package. Copying maintainers+permissions for a Go repo is just cloning the empty repo. The new package will become popular inasmuch as it'll be better than the existing one. Plus we control godoc.org, right? We should hide deprecated packages from its search results.
>>>>>>>> send an email to go-package-management+unsub...@googlegroups.com.
>>>>>>>> To post to this group, send email to
>>>>>>>> go-package...@googlegroups.com.
>>>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Go Package Management" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>>> an email to go-package-management+unsub...@googlegroups.com.
>>>>>> To post to this group, send email to
>>>>>> go-package...@googlegroups.com.
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>>
>>>
> --
>
> Steve Francia | TPM Go Lang | sfra...@google.com | Google Inc.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Go Package Management" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to go-package-management+unsub...@googlegroups.com.
+Steve
--
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
Hi Ross,I've worked with gopkg.in in the past, and while it was better than nothing, the approach wasn't without issues.In my initial reply, I said "for now, my suggestion would be to fall back on the past approaches." After more thought, I need to take back that advice.Consider this. The oauth library has the limelight of being a golang.org/x package. The dep tool is being built as the hopeful versioning strategy for the Go community.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsubscri...@googlegroups.com.
To post to this group, send email to go-package-management@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
Thanks for the clarification.You say in that message: "As you note, this is sorta gopkg.in-style (though that really only works with single-package libs)." That's not true: if you give different branches of the repository different import paths, then the branches can use their designated import path. gopkg.in definitely works for multi-package libraries.
I would be disappointed as a library maintainer that even if I wanted to put in effort to give my users functions to convert between my different version's types that it would be impossible for me to do with dep without starting a new repository.
I agree with your earlier sentiment, writing up guides on each of these scenarios would help get feedback on pain points from the community.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-manag...@googlegroups.com.
There are definitely some gymnastics to Andrew's approach. It's unclear to me at what point you could actually delete your v1 code from your master branch. And +1 to Jaana's remarks: the reason we're asking here is that we want to set a good example for how folks can use dep in the future.
There are two entangled problems that folks want versioned dependencies to solve:1) Code that expects one API surface, but receives another (incompatible) API surface by accident2) Not being able to reproduce buildsgopkg.in (and this thread) is touching on problem #1, but says nothing about #2. dep seems to be great at fixing #2 (yay!), but I don't see much support for #1. The reason I raise this is because even in the approach that Andrew outlined, we're establishing a very loose convention that already introduces "major" version number into the import path. I think codifying that convention (a branch/major semantic version acts as a separate import path) makes Go align with how developers already use version control tools.
I'm still not exactly sure what to do for x/oauth2. Seems like creating a subdirectory or a separate repository are still the only options even in post-dep-world, where what I'd love to be able to do is just start a new branch and give it a new import path.
-Ross
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Go Package Management" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
To post to this group, send email to go-package...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "Go Package Management" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-package-management/fp2uBMf6kq4/unsubscribe.
To post to this group, send email to go-package-management@googlegroups.com.To unsubscribe from this group and all its topics, send an email to go-package-management+unsub...@googlegroups.com.
There are quite a number of entangled problems that we have to solve - more than just these two. But the assertion that dep doesn't deal with #1 is incorrect. To say otherwise suggests to me that you have either not spent much time with dep, and/or that you are confusing the sufficiency of the system as a whole with dep's immediate capability for dealing with your currently-devised solution for this particular use case.
To me, at least, you were signaling this from the OP, by suggesting very design of dep may have a fault. Now, it's of course possible that any one thing we haven't considered might seriously undermine our current design. (I live in constant, albeit gradually subsiding fear of that happening). But opening up a discussion within that frame, and following it on with assertions that dep is essentially not fit for purpose...well, right now, this discussion feels to me like harmfully overeager tugging at a loose thread on a sweater. I'd prefer a narrower focus on solving the specific problem at hand - shims.
Let me try to summarize some relevant but sorta disconnected points, before I check out for the weekend:
- Shims are a real use case, and it's important we have a plan for how to address them.
- Shims are not the only use case, and must be considered in the wider context of all the tradeoffs we need to make in the tool.
- While i do not currently have a fully-formed solution in my mind for shims, I have a latent one based on this observation https://groups.google.com/d/msg/go-package-management/fp2uBMf6kq4/OOKZLqbxBQAJ that my instincts tell me, when coupled with some smart use of interfaces, should get shims at least 80% of the way there.
- The accretion-only, with occasional deprecation cleanup on major version bumps, is probably the sanest overall versioning model we could advocate.
- Keeping names and versions as orthogonal properties contributes significantly to system simplicity and regularity, and should probably remain as the foundation on which we build.
I'm still not exactly sure what to do for x/oauth2. Seems like creating a subdirectory or a separate repository are still the only options even in post-dep-world, where what I'd love to be able to do is just start a new branch and give it a new import path.
This does seem like the right goal to set, when we go about the business of weighing tradeoffs.
Replies inline.On Fri, May 19, 2017 at 8:17 PM Sam Boyer <samuel....@gmail.com> wrote:There are quite a number of entangled problems that we have to solve - more than just these two. But the assertion that dep doesn't deal with #1 is incorrect. To say otherwise suggests to me that you have either not spent much time with dep, and/or that you are confusing the sufficiency of the system as a whole with dep's immediate capability for dealing with your currently-devised solution for this particular use case.A totally fair assessment. I have tried using dep for several (small) projects, but since there are few docs/guides on how to use dep from a library maintainer's standpoint, I'm wanting to know more about best practices around usage. "Use semantic version tags" appears to be the popular advice, but because I don't understand how these tags will be used by importers of the library, it's hard for me to make a judgement call. I didn't want to file an issue in case I was "holding it wrong". :)
To me, at least, you were signaling this from the OP, by suggesting very design of dep may have a fault. Now, it's of course possible that any one thing we haven't considered might seriously undermine our current design. (I live in constant, albeit gradually subsiding fear of that happening). But opening up a discussion within that frame, and following it on with assertions that dep is essentially not fit for purpose...well, right now, this discussion feels to me like harmfully overeager tugging at a loose thread on a sweater. I'd prefer a narrower focus on solving the specific problem at hand - shims.I apologize that my post came across that way; it was not my intent. My post was intended as a request for support. But IIUC dep is meant to be a tool we can rapidly iterate on, I wanted to point this out as a use-case/feedback in case further refinement is desirable.