[Proposal] Do vendoring for reproducible builds?

Just some brainstorming.

Google uses and recommends vendoring in Go apps.

I’ve being using govendor and it is very clever. E.g.: It just copies the necessary files to the vendor folder (test files and others aren’t copied). Also, it flattens the vendor folder, if any dependencies also use it.

Advantages:

  • Reproducible builds. Can compile older versions even if dependencies have breaking changes.
  • Less issues on GitHub about Gogs not compiling because the user forgot to do go get -u ./...
  • More control dependencies updates. E.g.: xorm won’t break Gogs every week.

Disadvantages:

  • Gogs repo will be bigger.

Check in vendor to version control is something… I’m not ready yet, that’s why I only have lock file for revisions…

How about just distributing source packages for use by builders, rather than including vendor directory in the git repository ?

Not sure what exactly do you mean…?

Was meant as a solution for:

Better idea: register a vendor/ as a submodule, so those who don’t want to download the controlled snapshots of dependencies can still tell “go get” not to download submodules.

You’ll then have github.com/gogits/gogs-deps as a repository for just the vendor/ content, and update it occasionally as you see fit.

1 Like