Hi all, We're building with go 1.10.x and dep for a project at work, and having been bitten twice in the space of a week with unversioned upstream executables fetched via "go get" causing strife with versioned vendor code fetched by "dep", we've been working on making our build environment hermetic (we'll be moving to modules soon when we move to 1.11, especially because we use Artifactory, which supports vgo registries so we can protect our build chain, but for now we're stuck with dep).
Our common solution for this is to make sure the tool is put in the "required" stanza in Gopkg.toml, then running "dep ensure" to make sure it ends up in the Gopkg.lock file so the Docker build can pick it up when it runs "dep ensure --vendor-only". This works pretty well for protoc-gen-go from protobuf and mockgen (the two tools that broke our build this past week), but I also want to do the same for goyacc, which lives in golang.org/x/tools. I notice that nothing from the golang.org repository is at all versioned, so as far as I can tell, it all comes from the master branch. How do I version these to ensure that they don't break with older/other Go versions? Is there some sort of guarantee that they'll work at least n revisions back? I'm already extremely skeptical about the practice of just fetching all packages from git repositories, given how easy it is to slip malicious code in that way, so requiring a "go get" for those tools doesn't exactly give me the warm and fuzzies. - Dave -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
