Translation-Golang version Management VI: definition of Golang dependent library

This is a creation in Article, where the information may have evolved or changed.

As introduced in the overview post, a Go module was a collection of packages versioned as a unit, along with a go.mod file Listing other required modules. The move to modules is a opportunity for us to revisit and fix many details of how the GO command manages source code. The current go get model would be is about ten years old when we retire it in favor of modules. We need to make sure that the module design would serve us well for the next decade. In particular:

As defined in the previous article, the Golang dependent Library is a code package with a version that includes a file and go.mod lists in the go.mod file that the code package depends on other packages and on the versions that it depends on. modulethe way we organize the Golang code base gives us the opportunity to introduce a new organizational approach to perfecting go get and missing some of the go install details of the two command-line tools. Before the new specification is applied, go get and go install will remain in place for a long time, new tools must also be guaranteed to be available for the next more than 10 years. For this reason, the following issues are particularly important:

• Developers are encouraged to release the code version for the code warehouse, rather than giving commit ID it to third parties directly. The version label of the code means that the current code is available and is maintained by someone. At the same time, using the specified commit is still supported, although this is not recommended.
• You do not need to use a version control tool (such as BZR, FOSSIL,GIT,HG,SVN) or you can follow a dependent library.

We want to move away from invoking version control tools such as BZR, fossil, Git, Hg, and svn to download source code. These fragment the Ecosystem:packages developed using Bazaar or Fossil, for example, is effectively unavailable to users Who cannot or choose does not install these tools. The version control tools has also been a source of exciting security problems. It would is good to move them outside the security perimeter.

We want to allow multiple modules to being developed in a single source code repository but versioned independently. While most developers would likely keep working with one module per repo, larger projects might benefit from having MULTIPL e modules in a single repo. For example, we're like-to-keep Golang.org/x/text a single repository is able to version experimental new packages SEPA Rately from established packages.

We want to make it easy for individuals and companies to put caching proxies in front of go get downloads, whether for Ava Ilability (use a local copy to ensure the download works tomorrow) or security (vet packages before they can be used Insid e a company).

We want to make it possible, at some, and introduce a shared proxy for use by the Go community, similar in SPI RIT to those used by Rust, Node, and other languages. At the same time, the design must work well without assuming such a proxy or registry.

We want to eliminate vendor directories. They were introduced for reproducibility and availability, but we are now having better mechanisms. Reproducibility is handled by proper versioning, and availability are handled by caching proxies.

Proxy Server

An independent developer or company will need to update the Golang dependency Library from a proxy server instead of the original address. Some of this is due to the speed of the network, or it may be from security, open Source protocol versions, or other reasons. According to the above two chapters in the format of Go module and the definition of file download standard, you can easily achieve the goal. When the environment variable is $GOPROXY set to non-empty, VGO will URL get the dependent library on the set as a baseline module and no longer use the original address. To facilitate debug, you can even $GOPROXY set a folder address.

Proxy Servers
Both Individuals and companies may prefer to download Go modules from Proxy Servers, whether for effic Iency, availability, security, license compliance, or any other reason. Have a standard Go module format and a standard download protocol, as described in the last of the sections, makes it Trivi Al to introduce support for proxies. If the $GOPROXY environment variable is set, VGO fetches all modules from the server at the given base URL, not from their Usual locations. For easy debugging, $GOPROXY can even is a file:///URL pointing at a local tree.

We intend to write a basic proxy server This serves from VGo ' s own local cache, downloading new modules as needed. Sharing such a proxy among a set of computers would help reduce redundant downloads from the proxy's users but more import Antly would ensure future availability, even if the original copies disappear. The proxy would also has an option not to allow downloads of new modules. In this mode, the proxy would limit the available modules to exactly those whitelisted by the proxy administrator. Both proxy modes is frequently requested features in corporate environments.

Perhaps some day it would make sense to establish a distributed collection of proxies servers used by default in Go get, to Ensure module availability and fast downloads for Go developers worldwide. But not yet. Today, we are focused on making sure this go get works as well as it can without assuming any kind of the central proxy server S.

The End of vendoring
Vendor directories serve, purposes. First, they specify by their contents the exact version of the dependencies to use during go build. Second, they ensure the availability of those dependencies, even if the original copies disappear. On the other hand, vendor directories is also difficult to manage and bloat the repositories in which they appear. With the Go.mod file specifying the exact version of dependencies to use during VGO build, and with proxy servers for Ensu Ring availability, vendor directories is now almost entirely redundant. They can, however, serve one final purpose:to enable a smooth transition to the new versioned world.

When building a module, VGO (and later go) would completely ignore vendored dependencies; Those dependencies'll also is not being included in the module ' s zip file. To make it possible for authors to move to VGo and Go.mod while still supporting users who haven ' t converted, the new vgo Vendor command populates a module ' s vendor directory with the packages users need to reproduce the vgo-based build.

What ' s Next?
The details here is revised, but today's go.mod files would be understood by any of the future tooling. Please start tagging your packages with release tags; Add go.mod files If that makes sense for your project.

The next post in the series would cover changes to the Go Tool command line experience.