什么是在Golang中锁定外部依赖版本的最有效方法?

huangapple go评论82阅读模式
英文:

What is the most effective way to lock down external dependency "versions" in Golang?

问题

默认情况下,Go会通过在主分支(github)或默认分支(mercurial)中获取最新版本来拉取导入的依赖项,如果在GOPATH中找不到该依赖项。虽然这种工作流程很简单,但是它变得有些难以严格控制。因为所有软件更改都会带来一定的风险,我想以一种可管理和可重复的方式减少这种潜在更改的风险,并避免在运行干净构建(通过CI服务器)或准备部署时意外地引入依赖项的更改。

我应该采取什么最有效的方式来锁定(即固定或捕获)软件包依赖项,以便我不会发现自己无法复制旧软件包,甚至更糟的是,在我准备发布时出现意外的错误?

---- 更新 ----

关于Go打包的当前状态的其他信息。虽然我最终(截至2013年7月20日)在第三方文件夹中捕获依赖项并进行更新管理(类似于Camlistore),但我仍在寻找更好的方法...

这里有一个很好的选项列表

此外,一定要查看go 1.5 vendor/ 实验,了解go在未来版本中可能如何解决这个问题。

英文:

By default, Go pulls imported dependencies by grabbing the latest version in master (github) or default (mercurial) if it cannot find the dependency on your GOPATH. And while this workflow is quite simple to grasp, it has become somewhat difficult to tightly control. Because all software change incurs some risk, I'd like to reduce the risk of this potential change in a manageable and repeatable way and avoid inadvertently picking up changes of a dependency, especially when running clean builds via CI server or preparing to deploy.

What is the most effective way I can pin (i.e. lock down or capture) a package dependency so I don't find myself unable to reproduce an old package, or even worse, unexpectedly broken when I'm about to release?

---- Update ----

Additional info on the Current State of Go Packaging. While I ended up (as of 7.20.13) capturing dependencies in a 3rd party folder and managing updates (ala Camlistore), I'm still looking for a better way...

Here is a great list of options.

Also, be sure to see the go 1.5 vendor/ experiment to learn about how go might deal with the problem in future versions.

答案1

得分: 9

你可能会发现 Camlistore 的方式很有趣。

请查看 第三方目录,特别是 update.plrewrite-imports.sh 脚本。这些脚本会更新外部存储库,如果需要的话更改导入,并确保外部存储库的静态版本与其余的 Camlistore 代码一起提交。

这意味着 Camlistore 具有完全可重复的构建,因为它是自包含的,但第三方组件可以在 Camlistore 开发人员的控制下进行更新。

英文:

You might find the way Camlistore does it interesting.

See the third party directory and in particular the update.pl and rewrite-imports.sh script. These scripts update the external repositories, change imports if necessary and make sure that a static version of external repositories is checked in with the rest of the camlistore code.

This means that camlistore has a completely repeatable build as it is self contained, but the third party components can be updated under the control of the camlistore developers.

答案2

得分: 7

有一个项目可以帮助您管理依赖项。请查看gopack

英文:

There is a project to help you in managing your dependencies. Check gopack

答案3

得分: 5

我去年(2014年)早些时候开始使用godep,并且对它非常满意(它满足了我在原始问题中提到的问题)。我不再使用自定义脚本来管理依赖项的vendoring,因为godep会自动处理。无论是时间还是机器的软件包状态,它都能确保不引入任何漂移。它与现有的go get机制配合使用,并引入了根据Godeps/godeps.json文件进行固定(godep save)和恢复(godep restore)的功能。

请查看:

https://github.com/tools/godep

英文:

godep

I started using godep early last year (2014) and have been very happy with it (it met the concerns I mentioned in my original question). I am no longer using custom scripts to manage the vendoring of dependencies as godep just takes care of it. It has been excellent for ensuring that no drift is introduced regardless of timing or a machine's package state. It works with the existing mechanism of go get and introduces the ability to pin (godep save) and restore (godep restore) based on Godeps/godeps.json.

Check it out:

https://github.com/tools/godep

答案4

得分: 1

在Go语言中没有内置的工具来处理这个问题。但是你可以自己在本地磁盘或云服务上分叉依赖项,并且只有在经过验证后才合并上游的更改。

英文:

There is no built in tooling for this in go. However you can fork the dependencies yourself either on local disk or in a cloud service and only merge in upstream changes once you've vetted them.

答案5

得分: 1

第三方存储库完全由您控制。'go get'克隆了最新版本,您是对的,但您可以自由地检出由go get克隆或由您克隆的存储库的任何修订版本。只要您不执行'go get -u',已经存在于硬盘上的第三方存储库就不会受到任何影响。

实际上,默认情况下,您的外部本地克隆依赖始终被锁定。

英文:

The 3rd party repositories are completely under your control. 'go get' clones tip, you're right, but you're free to checkout any revision of the cloned-by-go-get or cloned-by-you repository. As long as you don't do 'go get -u', nothing touches your 3rd party repositories already sitting at your hard disk.

Effectively, your external, locally cloned, dependencies are always locked down by default.

huangapple
  • 本文由 发表于 2013年6月13日 11:27:23
  • 转载请务必保留本文链接:https://go.coder-hub.com/17078727.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定