[lobster_johnson]

We use Dep. It's good, much better than the buggy mess that is/was Glide.

My only criticism is that "dep ensure" will actually parse the code to discover dependencies through import statements, which is also what Glide does. To me, this is antithetical to the purpose of a Gopkg.toml/lock file. In other words, Dep's full list of dependencies isn't actually in the Gopkg.toml file; it's a sum of Gopkg.toml and your code. That is confusing.

My desired behaviour:

* "dep ensure" should always used the lock file, nothing else, to install;

* "dep ensure -update" should update the lock file to what is specified in Gopkg.toml (and only that);

* "dep ensure -add" (which I think should be "dep add") should b required to add new dependencies to the Gopkg.toml file.

Aside: I wish Go projects weren't stuck with BSD style flags (-update instead of --update). GNU style is more common and arguably more practical. I applaud whenever a project (e.g. Prometheus, recently) finally sees sense and goes over to GNU flags.

[tynorf]

I'm fairly certain you can use `--flag` with the standard flag package from stdlib: https://godoc.org/flag (in the section on command line flag syntax).

Though supporting `-flag` does remove the very nice combining of short flags.

[lobster_johnson]

Interesting, I didn't know that. I never liked the flag package, and the downside you mention is a reason not to use it. Kingpin (used by the Prometheus projects) and go-flags are nicer. Lots of Google code uses spf13's pflag, which I'm not a fan of, but it does do GNU flags correctly.

[latchkey]

The weird thing is if you -add a dependency before you import it, then you get a warning that the dependency isn't used in the codebase yet. Of course it isn't, I just added it! My IDE (IDEA) resolves the imports for me, so I can't add the import until after I add the dependency. Nice little catch-22.

[lobster_johnson]

Good point, I dislike that behaviour, too.