Why we have a problem?
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 7
Why we have a problem?
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 8
Dependencies are sources Remote import is a VCS path Dump everything together into one source tree (GOPATH)
Simple solution!
Compile Profit @jbaruch
#golang
http://jfrog.com/shownotes
Slide 9
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 10
Know which dependencies do I use? Know which dependencies did you use? Know which dependencies should I use?
But… how do i…
Know is it our code that I am editing right now? WTF is going on?! @jbaruch
#golang
http://jfrog.com/shownotes
Slide 11
Yeah…
“
To date, we’ve resorted to an email semaphore whenever someone fixes a bug a package, imploring everyone else to run go get -u. You can probably imagine how successful this is, and how much time is being spent chasing bugs that were already fixed.
Dave Cheney
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 12
Duplicate your dependencies
“
Check your dependencies to your own VCS. Brad Firzpatrick
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 13
Build your own dependency manager
“
It’s not the role of the tooling provided by the language to dictate how you manage your code in the production sense. Andrew Gerrand
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 14
We expect you to already have a homegrown dependency manager
“
If you need to build any tooling around what Go uses (Git, Mercurial, Bazaar), you already understand those tools, so it should be straightforward to integrate with whatever system you have. Andrew Gerrand
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 15
Don’t trust what we’ve built
“
go-get is nice for playing around, but if you do something serious, like deploying to production, your deploy script now involves fetching some random dude’s stuff on GitHub. Brad Firzpatrick
@jbaruch
#golang
http://jfrog.com/shownotes
It only allows a single version of any given package to exist at once (per GOPATH)
Two huge problems with gopath
@jbaruch
We cannot programmatically differentiate between code the user is working on and code they merely depend on #golang
http://jfrog.com/shownotes
Slide 21
vendoring
“
Copy all of the files at some version from one version control repository and paste them into a different version control repository
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 22
History, branch, and tag information is lost Pulling updates is impossible It invites modification, divergence, and bad fork It wastes space Good luck finding which version of the code you forked
What’s wrong with it (well, what’s not)
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 23
Slide 24
You still have no idea what version are you using You have to connect each dependency as a submodule manually Switching branches and forks LOL Working on modules with other teams ROFL
Still wrong!
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 25
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 26
The go dep experiment
Slide 27
@jbaruch
#dockercon
jfrog.com/shownotes
Slide 28
Working in project directories
Proper dependency management?
Local cache for dependencies Version declarations Conflict resolution
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 29
Conflict on the conflict resolution SAT/SMT vs MVS/SIV
Slide 30
Enter Go modules
Slide 31
Enter go modules @jbaruch
#golang
http://jfrog.com/shownotes
Slide 32
go mod init go.mod file is created
Backwards compatibility and migration
@jbaruch
The rest is the same: imports in code just work
#golang
http://jfrog.com/shownotes
Slide 33
That’s some serious dark magic…
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 34
Go modules convert everything (almost?)
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 35
What happens to go.mod when you add import (and run go get/go build)
Slide 36
Go checks the URL: If it’s Go Proxy (module repository), it gets the module If it’s a VCS it clones and builds the module locally If it’s a web page, looks for go-import meta tag
Selects the latest compatible version tag Semantic import versioning
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 37
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 38
Let’s assume SemVer works (LOL) The latest version of v1.x.x is compatible with v1.0.0 and up
Compatible?!
Premise: import path string should always be backwards compatible @jbaruch
#golang
http://jfrog.com/shownotes
Slide 39
] Incompatible code can’t use the same import path Add /v2/ to the module path
What about version 2?!
Use /v2/ in the import path import “github.com/my/module/v2/mypkg”
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 40
What if it doesn’t have any semver tags?!
@jbaruch
Pseudo version v0.0.0-yyyymmddhhmmss-abcdefabcdef
#golang
http://jfrog.com/shownotes
Slide 41
You can specify “version X or later”: >= x.y.z
What if (when) I want to ban a version?!
@jbaruch
You can use exclude or replace for better control
#golang
http://jfrog.com/shownotes
Slide 42
From vendoring to hierarchy of module repositories
Slide 43
Go modules define an hierarchy of caches Public Modules Repository GoCenter
Organizational Modules Repository The Athens Project JFrog Artifactory
Local cache on the developer’s machine $GOPATH/pkg/mod
Slide 44
After the mods are resolved (or built) they are cached in $GOPATH/pkg/mod
Local cache on the developer’s machine
Provides immediate access Not shared Not reliable (can be wiped at any moment)
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 45
JFrog Artifactory or Project Athens Provides faster (Intranet) access Provides reproducible builds as it caches the dependencies used once for build reproduction Requires team infrastructure and maintenance (SaaS offers exist)
Organizational modules repository
@jbaruch
#golang
http://jfrog.com/shownotes
Slide 46
GoCenter
Google announced a vision for a federation of public repositories
Provides fast access Provides reproducible builds as it caches the popular and requested dependencies from version control Highly available, requires no maintenance, free
public modules repositories
@jbaruch
#golang
http://jfrog.com/shownotes