Hi Aaron,
This is a general concept go should support and companies need. Google achieves this I hear by copying dependencies into their own source tree. Capital One also has strong controls on where source comes from, though I think they do it differently. I know heroku has to employ this type of proxies for other languages as well. So I agree that the concept of: "put dependencies under your control when you fetch them" is a good and needed one.
There are several places to place such a cache, having one doesn't always replace another:
- Theoretically you could configure a tool at the ENV level to always look at a proxy location for deps (possibly never go to end source).
- With today's tools you can configure a flexible origin to point to a local vcs repository.
- With today's tools you can store the current revision of the dep in your project's vendor directory.
Anecdotally, I don't really get affected by github downtime or the
code.google.com transition because I copy dependencies into the local vendor directory.
I do think it is important for us to have a story for organizations, such as Capital One which disallow copying dependencies into the local repository but still need to control the origin. Obviously there are solutions available, but I'm not a part of that environment first hand so I'm unsure the best solution to recommend. There may be other options we also want to consider as well (I have a few Ideas, though I don't care to go into them right now).
I do want to let you know I'm at least partially aware of situations like yours, and would like to help design a first class solution. -Daniel