Skip to content
This repository has been archived by the owner on Nov 2, 2018. It is now read-only.

vendor: adding dependency mgmt with dep #2394

Closed
wants to merge 4 commits into from
Closed

vendor: adding dependency mgmt with dep #2394

wants to merge 4 commits into from

Conversation

dmmcquay
Copy link

@dmmcquay dmmcquay commented Oct 3, 2017
edited
Loading

Adds dep dependency management.

  • Change makefile according to new
  • Solve github.com/huin/goupnp import issue (currently manually added files)

fixes #2388

@dmmcquay
Copy link
Author

dmmcquay commented Oct 3, 2017

@lukechampine could help me understand what you did here NebulousLabs/go-upnp@026fadc ?

@lukechampine
Copy link
Member

ah. So, we vendored https://github.com/huin/goupnp, but found that it was in need of some fixes. We applied the fixes to the vendored code. So now it's out of sync with the actual repo.
What's usually done in this circumstance? You can try to get the upstream maintainer to merge your changes, but that's not always an option. We could also fork goupnp like we've done with other projects (e.g. bolt)

@dmmcquay
Copy link
Author

dmmcquay commented Oct 3, 2017

Yeah, I looked at the difference with github.com/huin/goupnp and it basically is that we pass in context.Context to a function call that no longer takes one (or maybe never did, idk):

vendor/github.com/NebulousLabs/go-upnp/upnp.go:134:67: too many arguments in call to internetgateway1.NewWANPPPConnection1Clients
        have (context.Context)
        want ()

I could make a small patch to the lines that are complaining (L134 and L138) but I am not familiar with the code enough to know if the ctx are actually used. From what I can tell, they are.

I personally don't like the idea of forking cause it makes us responsible for its upkeep, but that is just my opinion.

What do you think @lukechampine? Do you think we can remove the contexts in those lines in go-upnp?

@dmmcquay dmmcquay force-pushed the dep_vendoring branch 2 times, most recently from f7a3bc0 to 29c486e Compare October 4, 2017 00:52
@lukechampine
Copy link
Member

we added the context recently in order to enable cancellation of port forwarding. So we can't just strip it out.
I guess this ties back into the dependency management discussion. What should we do when we want to make modifications to one of our dependencies?

@dmmcquay
Copy link
Author

dmmcquay commented Oct 4, 2017

@lukechampine depends how often you think you'll be making those changes. If it is something that would benefit the package for others, I think contributing back to the package would be the correct thing to do. If it is something frequent or a drastic change, then forking makes more sense to me.

@lukechampine lukechampine mentioned this pull request Oct 4, 2017
Open
@dmmcquay
Copy link
Author

dmmcquay commented Oct 5, 2017

Makefile updates are complete and github.com/huin/goupnp import issue solved (NebulousLabs/go-upnp#9).

@dmmcquay dmmcquay changed the title vendor: [WIP] adding dependency mgmt with dep vendor: adding dependency mgmt with dep Oct 5, 2017
@dmmcquay dmmcquay force-pushed the dep_vendoring branch 16 times, most recently from 42ec283 to 4037257 Compare October 11, 2017 03:36
@starius
Copy link
Contributor

starius commented Oct 21, 2017

I think we should wait for golang/dep#944 to reduce the size of committed vendor/ directory. They are working exactly on removing tests and all non-Go files except README and LICENSE.

@starius
Copy link
Contributor

starius commented Oct 21, 2017

Also, can Travis script verify that:

  1. Gopkg.toml matches code (i.e. covers all dependencies and has no unnecessary projects)
  2. Gopkg.lock matches Gopkg.toml (i.e. has most recent versions for projects using branch="master") and code (i.e. "packages" field covers all dependencies and has no unnecessary packages).
  3. Vendor dir matches Gopkg.lock

?

The script should return error if the failure is a result of the pull request. Otherwise just a warning. If this is hard to achieve, then return error if the failure happens due to requirements 1 and 3 (because 2 can start failing itself as a result of push to a dependency repo).

starius pushed a commit to starius/Sia that referenced this pull request Oct 21, 2017
add Gopkg.{toml,lock}
a77ee8e 
Based on NebulousLabs#2394
@sdboyer
Copy link

sdboyer commented Oct 26, 2017

noticed this crosslink from one of our issues, so lemme answer @starius' questions 😄

Gopkg.toml matches code (i.e. covers all dependencies and has no unnecessary projects)

this is the "ineffectual constraints" problem, which we've had a longstanding issue open to address in hopes that someone would pick it up. i suppose it'd be possible to do via a separate script, though i think it may be a struggle.

Gopkg.lock matches Gopkg.toml (i.e. has most recent versions for projects using branch="master")

there may be some nuance here, but if you really want this flow - where you don't accept a commit unless all (or d you only care about branches?) of its dependencies are at the latest possible one allowable by constraints - then the best thing to do may be to run dep ensure -update and just see if the Gopkg.lock changes at all.

code (i.e. "packages" field covers all dependencies and has no unnecessary packages).

you probably won't get much value out of this check - unless you've got particular requirements around special build tags, it's basically not possible for dep to get this wrong. or IOW if dep does get it wrong, it's a critical bug in dep that we'll have fixed very quickly; otherwise, a discrepancy is more likely to indicate a bug in the verification script.

Vendor dir matches Gopkg.lock

this will be quite onerous to do externally, but is something we're aiming to have done reasonably soon - golang/dep#121.

@starius
Copy link
Contributor

starius commented Oct 26, 2017 via email

@sdboyer
Copy link

sdboyer commented Oct 29, 2017
edited
Loading

The idea of the algorithm is as follows: generate new
Gopkg.toml (in memory) from scratch and check if the sets of projects are
the same in the generated Gopkg.toml and real Gopkg.toml.

hmm...maybe? so you'd mv Gopkg.toml and then dep init again, then compare the difference there? i can't point to a specific thing, but dep init is trying to do a very difficult task (convert the varied the universe of ways people have organized their Go projects in the past over to dep's model), so it may not be quite as precise as what you're hoping for.

i have a draft of a blog post that i'll get around to...sometime soon here i hope, which illustrates how i hope CI workflows could work. it wouldn't be terribly difficult to stitch together the behavior described in there - it's just that it's one of many, many priorities, and we've not gotten to it yet.

@tbenz9
Copy link
Collaborator

tbenz9 commented Feb 16, 2018

Reading the history it looks like the primary reason this PR stagnated was to wait for golang/dep#944, which has now been merged into dep v0.4. We may want to revisit this PR; especially since we now vendor bbolt.

@dmmcquay
Copy link
Author

@tbenz9 @lukechampine sounds good to me. Let me know the direction you want to move in and I can update the PR.

@dmmcquay
vendor: adding dep pkg mgmt
1fa2798 
Still working on issue with github.com/huin/goupnp as it wasn't properly
vendor in github.com/NebulousLabs/go-upnp and no history exists about
when the snapshot of the repo was taken

Signed-off-by: Derek McQuay <derekmcquay@gmail.com>
@dmmcquay
makefile: update dependency to use dep
084419b 
Signed-off-by: Derek McQuay <derekmcquay@gmail.com>
@dmmcquay
vendor: update with change NebulousLabs/go-upnp
070a479 
See NebulousLabs/go-upnp#9 (comment).
Removed dep on local modified github.com/huin/goupnp that existed in
NebulousLabs/go-upnp

Signed-off-by: Derek McQuay <derekmcquay@gmail.com>
@dmmcquay
makefile: dep call and edited travis ci settings
ad1a3c6 
Signed-off-by: Derek McQuay <derekmcquay@gmail.com>
@lukechampine
Copy link
Member

@dmmcquay interesting timing... Russ Cox just posted this: https://research.swtch.com/vgo-intro

So the state of dependency management has been thrown into disarray once more. It looks like there will be a painless upgrade path from dep, so perhaps we should continue going down that route. Even if the vgo stuff is accepted, it won't become official until Go 1.12 at the earliest, which is a year away.

@tbenz9
Copy link
Collaborator

tbenz9 commented Feb 21, 2018

Even if we choose the vgo route when its rolled into an official Go release seems like we should still implement the dep solution provided ASAP.

@sdboyer
Copy link

sdboyer commented Mar 3, 2018

yep - dep will still provide you a smoother vector into vgo than your current state, whatever from vgo ultimately ends up taking (still very unclear)

@lukechampine
Copy link
Member

Now that the vgo proposal has been accepted, I think we should make a renewed effort to manage our dependencies with vgo.

@dmmcquay -- thanks for your work on this, and sorry for our sluggishness. If you're interested in migrating Sia to vgo, we'd be grateful for that. I expect that it won't be too difficult, but you never know. Otherwise, I'll go ahead and start working on it myself.

@dmmcquay
Copy link
Author

dmmcquay commented May 22, 2018
edited
Loading

@lukechampine would be glad to do it. I haven't played around with vgo yet and would be a good excuse to!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reproducible source checkouts for release builds
5 participants
@dmmcquay @lukechampine @starius @sdboyer @tbenz9