从Github获取的Go依赖项-我们能确定它们将永远可用吗?

huangapple go评论84阅读模式
英文:

Go dependencies from Github - can we be sure that they will be available forever?

问题

我已经做了几年的JavaScript/Node.js开发者,现在正在学习Go。对于Go来说,似乎大部分外部依赖都是直接从Github中获取的。

我想知道我们能够多大程度上依赖这一点。

当我们在npm上发布一个包时,它会以副本的形式存储在注册表中。即使源代码仓库被删除,该包仍然可用。

在Go中,常见的做法是直接声明依赖于模块仓库(例如Github)。

如果仓库被删除会发生什么?
在这种情况下,所有依赖于该仓库的项目会发生什么?

英文:

I have been a Javascript / NodeJs developer for a few years and am now learning Go. I am very new to it.

It seems that in Go most of the external dependencies are included directly from Github.

I am wondering how much we can rely on that.

When we publish a package on npm it is stored as a copy, as an archive, in the registry. If the source repository is deleted, the package is still available.

In Go it seems to be common to declare dependencies directly to the module repository (E.g. on Github).

What happens if the repository is deleted?
What happens to all the dependent projects in this case?

答案1

得分: 3

今天的Google安全博客文章解释了当存储库被删除时会发生什么情况:

Go保证软件包的可用性。Go模块镜像提供了go命令请求的软件包,而不是直接访问原始服务器(如GitHub)。当任何Go开发人员首次请求给定模块时,它会从上游源获取并缓存在模块镜像中。当一个模块在标准开源许可证下可用时,对该模块的所有未来请求都只会返回缓存的副本,即使该模块在上游被删除。

英文:

Today's article on the Google Security Blog explains what happens when a repository is deleted:

> Go guarantees the availability of packages. The Go Module Mirror serves packages requested by the go command, rather than going to the origin servers (such as GitHub). The first time any Go developer requests a given module, it’s fetched from upstream sources and cached within the module mirror. When a module has been made available under a standard open source license, all future requests for that module simply return the cached copy, even if the module is deleted upstream.

huangapple
  • 本文由 发表于 2023年7月1日 05:09:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/76592222.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定