Hacker News new | ask | show | jobs
by purpleidea 503 days ago
go.mod and the golang tooling is a horror show. I absolutely LOVE the language, but dealing with the tooling is horrendous. I should blog about the specifics, but if you want a short version:

* not using posix args

* obscure incantations to run tests

* go.mod tooling is completely non-deterministic and hard to use, they should have just left the old-style vendor/ alone (which worked perfectly) and wrapped a git-submodules front-end on top for everyone who was afraid of submodules. Instead they reinvented this arcane new ecosystem.

If you want to rewrite the golang tooling, I'll consult on this for free.
1 comments
verdverm 503 days ago
MVS, the algo for dep version selection, is deterministic, given the same inputs you will get the same outputs. Go has invested a lot of effort in creating reproducible builds through the entire toolchain

https://research.swtch.com/vgo-mvs

link
purpleidea 503 days ago
The _tooling_ is not reproducible. Take a not small golang project with some number of dependencies and there should be a single list of the latest versions for the entire project. And exactly what golang commands do you run to generate that list? It's totally broken. This is why so many tools cropped up like go-mod-upgrade and so on.

Everyone downvoting obviously doesn't understand the problem.

link
verdverm 502 days ago
`go.mod` contains the dependency list and minimum version required

`go.sum` is a lock file for the exact versions to use (ensures reproducibility)

`go mod graph` will produce the dependency graph with resolved versions

`go list -deps ./...` will give you all packages used by a module or directory, depending on the args you provide

`go get -u ./...` will update all dependencies to their latest version

Here is a post about Go toolchain reproducibility and verification: https://go.dev/blog/rebuild

You are being downvoted for being wrong and talking about downvoting, which is called out as something not to do in the posting & commenting guidelines

link
arccy 502 days ago
the versions in go.mod are an enforcement of the versions required by your dependencies, and those your module require. asking for it to be reproducible from scratch is like deleting package.json in a node project and asking it to magic all your >= < version constraints out of thin air, it's impossible because you're deleting the source.
link