top | item 23763557

(no title)

m0th87 | 5 years ago

You're not alone. I've been writing go since before 1.0, and can handle modules/packages in _any other language_ fine, yet go's regularly leaves me stumped.

A little while ago we were hitting yet another issue with dependencies related to version pinning at work. I tried to divine what the disparate versions mean, and came up with this flow chart from a legalistic reading of stack overflow issues [1] and the go modules doc [2]:

  has the package opted into go modules (i.e. is there a go.mod?)
    yes
      does the repository use semver?
        yes
          is the major version <= 1?
            yes
              => normal versioning, e.g. github.com/stretchr/testify v1.3.0
            no
              => when importing, we need add /vN at the end, e.g., import "github.com/my/mod/v4", and in go.mod it will behave like github.com/my/mod/v4 v4.1.0
        no
          => pseudo-versioning will be used, e.g. github.com/kolo/xmlrpc v0.0.0-20190717152603-07c4ee3fd181
    no
      does the repository use semver?
        yes
          is the major version <= 1?
            yes
              => pseudo-versioning will be used, e.g. github.com/kolo/xmlrpc v0.0.0-20190717152603-07c4ee3fd181
            no
              => version will be marked as incompatible, e.g. github.com/zeromq/goczmq v4.1.0+incompatible
        no
          => ???

I still don't know if this is right. But that's not really the point. I think the go authors painted themselves into a corner with such an anemic initial release. Now that they're trying to address shortcomings, the complexity is blowing up to handle the very large/diverse ecosystem. It reminds me a lot of java around 1.4 when they added in generics. In the long-run it was the right move, but man was it painful.

1: https://stackoverflow.com/a/57372286 2: https://github.com/golang/go/wiki/Modules

discuss

deathanatos|5 years ago

I packaged a golang project once. I had to independently discover a lot of that.

I'll also add that fetching a golang package was complicated. As I remember, GitHub seemed to be special cased. Other URLs involved an HTTP request with a ?go-get=1 parameter, and then parsing the returned HTML for certain meta tags¹. (I thought only Python was guilty of that sin!) Some URLs I ended up just re-writing, because gopkg.in packages effectively redirect to GitHub in ways that, if abandoned, allow someone else to intercept[1].

And none of this is documented anywhere particularly coherent. Bits here and there, maybe.

(Why not use go itself? Because this platform's package manager wanted to verify that the software was being built from the correct source, by hashing the inputs. It also, then, fetched those inputs, so that there wasn't some form of bait & switch, and there is no network at build time to further prevent silliness. I considered vendoring, but it isn't clear to me how vendoring works with go modules, since it doesn't seem to take into account the module version? / the path layout only allows for a single version.)

[1]: https://github.com/go-fsnotify/fsnotify

¹some servers didn't even return the right Content-Type, either, but perhaps that's an implementation bug. But I didn't have a spec to know.