Go Modules: Why and how – all you need to know in less than an hour

Refactoring to modules: All you need to know in less than an hour @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Let’s go back in time

Pre 1.0 (2012) 1.2 (2013) Poll time! 1.5 (2015) 1.8 (2017) 1.11 (2018) @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

🎩 @jbaruch #dockercon jfrog.com/shownotes @ErinMeyerINSEAD’s “Culture Map”

shownotes http://jfrog.com/shownotes Slides Video Links Comments, Ratings Raffle @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Why we have a problem? @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Dependencies are sources Remote import is a VCS path Simple solution! Dump everything together into one source tree (GOPATH) Compile Profit @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

@jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Know which dependencies do I use? Know which dependencies did you use? Know which dependencies should I use? But… how do i… Know is it our code that I am editing right now? WTF is going on?! @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Yeah… “ To date, we’ve resorted to an email semaphore whenever someone fixes a bug a package, imploring everyone else to run go get -u. You can probably imagine how successful this is, and how much time is being spent chasing bugs that were already fixed. Dave Cheney @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Duplicate your dependencies “ Check your dependencies to your own VCS. Brad Firzpatrick @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Build your own dependency manager “ It’s not the role of the tooling provided by the language to dictate how you manage your code in the production sense. Andrew Gerrand @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

We expect you to already have a homegrown dependency manager “ If you need to build any tooling around what Go uses (Git, Mercurial, Bazaar), you already understand those tools, so it should be straightforward to integrate with whatever system you have. Andrew Gerrand @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Don’t trust what we’ve built “ go-get is nice for playing around, but if you do something serious, like deploying to production, your deploy script now involves fetching some random dude’s stuff on GitHub. Brad Firzpatrick @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

godeps.json dependencies.tsv govendor, govend, goven, gv quiz time! trash, garbage, rubbish Weapons manufacturer @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

GOPATH + VENDORING = 💖 @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

GOPATH, The proud son of the monorepo

It only allows a single version of any given package to exist at once (per GOPATH) Two huge problems with gopath @jbaruch We cannot programmatically differentiate between code the user is working on and code they merely depend on #CharlotteGolang #jcenter http://jfrog.com/shownotes

Vendoring – the worst kind of forking “ Copy all of the files at some version from one version control repository and paste them into a different version control repository @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

What’s wrong with it (well, what’s not) @jbaruch #CharlotteGolang History, branch, and tag information is lost Pulling updates is impossible It invites modification, divergence, and bad fork It wastes space Good luck finding which version of the code you forked #jcenter http://jfrog.com/shownotes

You still have no idea what version are you using You have to connect each dependency as a submodule manually Switching branches and forks LOL Working on modules with other teams ROFL Still wrong! @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

@jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

The go dep experiment

@jbaruch #dockercon jfrog.com/shownotes

Working in project directories Proper dependency management? Local cache for dependencies Version declarations Conflict resolution @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Conflict on the conflict resolution SAT/SMT vs MVS/SIV

Enter Go modules

Enter go modules @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Backwards compatibility and migration @jbaruch #CharlotteGolang go mod init go.mod file is created The rest is the same: imports in code just work #jcenter http://jfrog.com/shownotes

That’s some serious magic… @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Go modules convert everything (almost?) @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

What happens to go.mod when you add import (and run go get/go build)

Have goimport? no yes Follow goimport URL yes Invalid import path Serve the module no Is it a webpage ? no Is it a VCS? yes Build the module locally Clone the sources Access import path as URL

Latest compatible version tag

@jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Let’s assume SemVer works (LOL) The latest version of v1.x.x is compatible with v1.0.0 and up Compatible?! Premise: import path string should always be backwards compatible @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

] Incompatible code can’t use the same import path Add /v2/ to the module path What about version 2?! Use /v2/ in the import path import “github.com/my/module/v2/mypkg” @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

What if it doesn’t have any semver tags?! @jbaruch #CharlotteGolang Pseudo version v0.0.0-yyyymmddhhmmss-abcdefabcdef #jcenter http://jfrog.com/shownotes

What if (when) I want to ban a version?! @jbaruch #CharlotteGolang You can specify “version X or later”: >= x.y.z You can use exclude or replace for better control #jcenter http://jfrog.com/shownotes

Houston… I think I lost my module?

From vendoring to hierarchy of module repositories

Modules shoud be immutable The <module>@v<version> construct should be immutable That means that github.com/myuser/myrepo/@v/v1.0.0 Should forever be the same…

But are they really? “ ”Friends don’t let friends do git push -f” Aaron Schlesinger @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Using the goproxy variable export GOPROXY=https://myawesomeproxy.com go get github.com/myuser/myrepo

Have goimport? no yes Access import path as URL Follow goimport URL yes Invalid import path Serve the module no Is it a webpage ? no Is it a VCS? no Is it a module repo? yes Build the module locally Clone the sources yes

Keeping modules Local cache ($GOPATH/pkg/mod) Immediate access, not shared, can be wiped… Organizational cache (private proxy) Fast access, requires infra, shared across devs Public cache (public proxy) Highly available, CDN, no infra, free

Immutable and repeatable builds Immutable dependencies The best way to guarantee issues is force push Lost Dependencies Who doesn’t remember left-pad with Node.js? Internet Issues Even build when GitHub is down!?

And also faster builds…

Documentation Stats More value to gocenter @jbaruch Nudges Ratings #CharlotteGolang #jcenter http://jfrog.com/shownotes

Documentation Active Development # of stars Unit test coverage Licensing # of Dependents Passing unit tests # of forks # of maintainers Score of dependencies Security # of downloads Who the judges are?! @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes

Twitter ads and q&A jfrog.com/shownotes @jbaruch #CharlotteGolang gocenter.io @jbaruch #CharlotteGolang #jcenter http://jfrog.com/shownotes