[joaodlf]

This can't happens fast enough.

I have been having a fantastic time with Go... Up until the point I have to add a new package to my projects and go through CI and deployment.

Glide works mostly OK, but it's not the final solution, that's for sure. Even big packages on github fail to produce releases, so you have to depend on master branches... One day your builds just decide to break. It's a nightmare.

[garfij]

I haven't used Glide (only govendor) so I'm not sure exactly how it works.

Are you checking your dependencies into your repository (we do this, it works very well).

If not, are you pinning specific commit hashes? Is that even possible in Glide?

AFAIK those are the only two ways to get even close to reproducible builds.

[joaodlf]

Commit hashes seem to be the way to go, for sure, at least to be safe. I really don't want to put our vendor content in the repos.

It's just a tad absurd when you're used to mature package managers in other languages.

[weberc2]

Honestly, most package managers just bring their own problems. I'd rather commit source code than troubleshoot npm, pip, nix, maven, etc errors all day long. The only package manager I've found that works reliably has been Cargo (Rust).

[zellyn]

There has been a lot of talking between the committee that created `dep` and folks who've implemented other systems, including Cargo. I have high hopes.

[sdboyer]

indeed, we've talked with them quite a bit :)

[RangerScience]

I don't think I've ever had a problem with Bundler.

[OhSoHumble]

Me neither. In fact, I rarely have trouble with package managers. They're amazing.

[weberc2]

I envy you. I use Nix, pip, and npm on a daily basis and it's an uphill battle. I haven't used Bundler.

[baq]

i would be a happy man if every package manager for any language has magically become cargo overnight.

[pjmlp]

Until cargo starts to support binary crates across projects I would be a very unhappy man.

I have better things to do with my time than watching the same crates being compiled multiple times.

[andrewchambers]

Well go builds so fast you wouldn't be waiting.

[zellyn]

I believe the current intended use is a human-editable "manifest file" where you specify desires/intent, preferably semver, ideally only as necessary, and a machine-generated "lock file" which specifies the actual hash of every transitive dependency, so builds are fully specified and reproducible.

[eikenberry]

But they all have to vendor as well if they want reliable builds. Otherwise you end up with everything breaking when a developer decides to do a forced push or take his repo off github.

[zellyn]

Well, you can vendor, or you can have an internal mirror/cache of repositories.

[sdboyer]

Force pushes - by far more common than straight-up repository removal - are handled without problem; we let you stick with your old version. (At least, that's how it should be - there might be a couple more test cases to write. I know I designed for this problem early on).

Repo removal, renaming, or whatever, are still problems, for sure.

Today, dep populates vendor/ with dependencies, and works equally well whether you decide to commit them or not.

[stepik777]

Not if there is a central repository which doesn't allow removal of packages.

[camus2]

> Are you checking your dependencies into your repository (we do this, it works very well).

it work if you are working on a project, it does not if you are library author who rely on other dependencies.

[sdboyer]

in a post-dep world, this won't matter anymore. dep strips vendor directories out of any dependencies it pulls in.

[rem7]

When dep removed the vendor folders from the other libraries, How does dep handle multiple libraries that depend on the same library but different versions of it?

[zeveb]

What I don't get is why more folks don't just use per-project GOPATHs.

I have all my stuff in $PROJECT/src/$PROJECT, and all the dependencies are git submodules in $PROJECT/src/, and it all Just Works. Perfectly. git submodule is a bit of an annoyance, but it works. Anyone fetching my project just checks everything out, and it all Just Works™.

It's a lot better than using a dependency-management tool and shared GOPATH, at least in my experience.

[camus2]

> What I don't get is why more folks don't just use per-project GOPATHs.

because that's not how go works. You need extra work to make it work. That's not up to debate anymore anyway, dep will be the official package manager and will be merged with the rest of the official ecosystem.

[zeveb]

What do you mean 'that's not how go works'? Go provides GOPATH: using a different GOPATH for each of my projects works, and it works really well.

> You need extra work to make it work.

What extra work? I set GOPATH, and everything just works. What more is there?

> That's not up to debate anymore anyway

Neither were type aliases, until they were, except they aren't.

I have no idea what dep adds that using the standard GOPATH doesn't do: I've read the background and the docs, and I'm familiar with using the vendor directory in the past; frankly, now that I've switched to using GOPATH all of those things look like a mistake. It all reads like tha Javafication of Go.

[lobster_johnson]

Glide lets you pin dependencies to specific commits (the "version" key takes a semver version constraint, a branch name or a commit hash), and transitive dependencies will be pinned via the lockfile, so it works even if the implicitly included dependencies don't use versioning.

The main problem with Glide is that it's buggy. It also lacks some important features. You still can't do "glide update" on a single dependency, for example. It's all or nothing.

[sdboyer]

yeah, this is one of the main pain points there. the reason it's so difficult to solve in glide is intrinsically tied to the engine glide uses for version selection - otherwise we'd have dealt with it long ago.

[OhSoHumble]

I agree. I have a friend who likes the concept of Go but refuses to try it out unless it has a good dependency management solution.