> proxy.golang.org does not save all modules forever.
Which means, your project may not compile anymore if someone pulls one of your dependencies and proxy.golang.org decides to drop it.
When you read that, you may decide to just track the vendor/ folder in your repo and forget about proxies for OSS projects.
What is the recommendation from the Go community about this?
- Are there public go proxies can be used for OSS projects ensuring you will never lose any dependency?
- Is https://goproxy.io/ giving such guarantee maybe?
- Should we just vendor and forget about Go-Proxies for Open Source?
Thanks,
Jose
When working on internal company projects, it makes sense to use a company wide GO Proxy assuring that all go dependency code is available and immutable. But when you move to an Open Source project, you cannot longer use such private proxy.I wonder what is the best practice recommendation for Open Source projects.
For instance, reading about https://proxy.golang.org/ is says:> Why did a previously available module become unavailable in the mirror?> proxy.golang.org does not save all modules forever.
Which means, your project may not compile anymore if someone pulls one of your dependencies and proxy.golang.org decides to drop it.
When you read that, you may decide to just track the vendor/ folder in your repo and forget about proxies for OSS projects.
What is the recommendation from the Go community about this?
- Are there public go proxies can be used for OSS projects ensuring you will never lose any dependency?
- Is https://goproxy.io/ giving such guarantee maybe?
- Should we just vendor and forget about Go-Proxies for Open Source?
--Thanks,
Jose
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/47c445ca-884d-49b5-8357-aeae8802e937n%40googlegroups.com.
I do agree with all that. All very good points indeed.What about prevention?It can happen that a project looks very active and trustworthy when you chose to depend on it. But later on, it decides to take on new dependencies that are less reliable, or starts being less and less maintained. If that happens I am not sure how you would notice in advance, unless you actively check all your deps manually... which in my experience will not happen in most cases in real life. So in the end it is likely that you might run into trouble on the worst possible moment. For instance, your project is in maintenance mode, it does not get a lot of new features but needs to be keep up to date, etc. A dep disappears right after you need to send a security patch ASAP, and suddenly your SLA is in trouble.So still you might need or want some insurance stronger than a public go proxy to recover the latest copy you were using and start your own fork.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/17edab03-a467-4b70-b2bb-62446e3ed03dn%40googlegroups.com.