On Wednesday, March 13, 2019 at 7:25:35 PM UTC+1, Wael Nasreddine wrote:
>
> On Monday, March 11, 2019 at 10:01:04 AM UTC-7, Manlio Perillo wrote:
>>
>> Do you perhaps have the same requirements as in the thread
>> https://groups.google.com/forum/#!topic/golang-dev/DD88cds-LuI
>> as reported by Nicolas Mailhot?
>>
>> That is, you need to patch the upstream source but keep the same version,
>> because you can't (or don't want to) update all the versions of the
>> required modules.
>>
>>
> Not precisely. In my case, I'm doing the build in two stages a) fetch
> dependencies and make sure they pass the hash and b) use (a) to build the
> module. I can add patches to the stage (a) to patch dependencies, but
> obviously, it does need some patching work due to the path of the
> dependency itself. I'm not too worried about patching at this time as I'm
> more worried about packaging instead.
>
>
This is how I would do things in order to have a consistent snapshot of Go
modules for an OS distribution:
1) Clone each repository of the Go modules you want to include in the
snapshot, and all the indirect dependencies
2) Patch all the go.mod files to ensure that *only* one version
of each module is used. Do not rely on cmd/go dependency
resolution algorithm
3) Synthesize a Go module data for each repository, and make
it accessible from GOPROXY
4) Build
Note that 2) will cause hash checks to fail; this is where -mod=trust came
to help.
> [...]
Manlio Perillo
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
