Date: Tue, 13 Jun 2017 11:47:53 -0400 Message-ID:Subject: Re: Quick sync re: dep From: Russ Cox To: Andrew Gerrand Cc: Peter Bourgon , Edward Muller , Sam Boyer , Jessica Frazelle On Sat, Jun 10, 2017 at 3:40 AM, Andrew Gerrand <adg@golang.org> wrote: > Hi all, > > My sincere apologies for missing yesterday's meeting. > An urgent personal matter arose, and so I completely forgot my schedule. > (All is fine now.) > > Did anyone take notes at the meeting? > > Best wishes, > Andrew Hi Andrew, No worries. I took some personal hand-written notes about things for me to look into in more detail, which I'll reproduce in expanded form below. If anyone raised anything that I'm missing here, please let me know. Thanks. My general goal was to ask "Is the big picture reasonable? Are there objections? Are there things we need to work out among ourselves before making something like this doc public?" - Sam pointed out that the big difference between my sketch and dep is that manifests end up being per-package instead of per-project, which he was concerned may cause incompatibilities between the two schemes. The big difference is that packages have no cycles while projects may (and do, in the case of at least k8s and docker). It's unclear without more investigation exactly how big a difference this is, and it wasn't one I intended explicitly. I need to look more into the implications and which is right, although my inclination is per-package precisely because it avoids the complexity of dealing with cycles. I asked Sam to send some details about the cycles in k8s and docker repos. - Sam had some concerns about depending so heavily on semver. He pointed out that cockroachdb depends on pinned revs of x/text for collation tables to ensure they don't change from release to release. - Sam had some concerns about the scope of version exclusions: respecting them only in the top level manifest is probably not good enough because it means everyone using a package has to copy that package's exclusions to get a good build. I agree that that's problematic and that manifest exclusions in dependencies probably need to apply too (but still without a satisfiability search). - Sam reported some discussions with someone about Amazon's "version sets", which are a bit like internal Google "components" and now Bazel WORKSPACE files. It might be nice if that model can be expressed in manifests. - Peter asked what about repos without semver tags, and my response was that the behavior should degrade gracefully to today's, namely always use the latest rev. - Ed asked about branch designators, so that manifests can say "use this branch." That's now on my list to investigate further. - Sam asked about type leakage in general: if you have v1 and v2 of a package in the same binary, how does the user understand what's going on when the compiler refuses to pass a value of v1 type T to a function expecting a v2 type T? I pointed out that the compiler already automatically adds full import path context when the package names alone are ambiguous, and we'd probably need to be careful to do the same here. - Sam suggested dropping the section in the doc about the standard library, to avoid speculative bikeshedding. (Even though my point in that paragraph was to cut off just that, removing the section entirely might work better.) - Ed pointed out that allowing multiple versions of a package is problematic if you have a development model where you bump the major version frequently: if there are v1 through v20 of your package, users might not want all of them in their binaries. He also brought up a general problem with people doing too much work at init time, and noted that having many copies of a package exacerbates that. - Peter said he wasn't convinced about needing multiple versions of a package at all and wanted to push back on that idea. I raised the scenario of having json v1 and introducing json v2, and suppose the official Amazon APIs are using json v1 while the official Google Cloud APIs are using json v2, and in both cases json doesn't show up in the API at all, it's just purely an internal detail for preparing the wire format of the API requests. The effect of disallowing multiple versions would be that a single program can't use both the Amazon and Google Cloud APIs, because of an internal implementation detail in those packages. The same thing comes up for any similar utility library that might go through multiple major versions. To me that's a show-stopper that must be avoided. I might have read the room wrong, but to me people seemed generally receptive to this example. - Sam said that he was worried about "using this tool in anger" and that the sketch assumes that people never stray from a "happy path", and if they do then they will get stuck without any recourse. In contrast he seemed to be saying that much of the complexity of dep and gps is meant to give people more power in those situations, because "dependency management is terrible and always will be." - Ed raised a concern about per-package manifests being distributed throughout a source tree and said he'd prefer having just one per project (in the project root). I asked about lock files and whether those should be per-package, since it seems that a lock file is fundamentally about building a single target and if the lock file applies to all targets in a project then it might not be well-specified. In general it seems to me that we're boxed in a bit by the pre-existing package structure and may not be able to impose repository-level ("project") constraints on existing usage. - Peter raised a process concern, namely that there has already been an extended documentation and feedback cycle and that he believes basically everyone has been heard and that right now what we need instead is for "people who know what they're talking about to lead". People seemed to agree, and I do too. I clarified that I don't want to start a whole new survey round but I do want to try to keep the community involved in seeing the design of package management support in the go command take shape. I don't expect to publish the public doc as a formal proposal, because it's not. I might end up just posting something on my blog about "this is what we're looking at" and just deal with feedback in whatever form it takes. - Sam raised the general issue of the status of dep and in particular said he had some misgivings about encouraging contributions to dep if it's not going to last in its current form. I expanded a bit on what I wrote toward the end of the doc, namely that dep is an important step in the process but ultimately not the end result. It's critical for people to get experience using (and to encourage them to use) semver tags and to help us learn what works and doesn't for the eventual integration in the go command, but it's equally important that integration is a full fitting into the entire go command and not a new subcommand. I said that it's very important to keep fixing bugs and issues where dep breaks, but it's probably not worthwhile to design and add new dep features at this point. We know what dep is and need to learn from it and use it as an interim tool. I also mentioned that part of my plan for integration is to publish a go get-able copy of the go command with the experimental integration for people to use with standard toolchains (called 'xgo'). Go 1.9 will have the minimal latent support for this in the compiler and linker, so that people can go get xgo and use it for builds but know that they're still using a stable compiler, runtime, and library set. - Ed brought up the question of how Heroku and other systems that do deploy as 'git push' should work. With vendoring, all the code can be in the git repo, and also govendor's config at least has the flexibility of letting Heroku store some otherwise-ignored config info in its config file, to reduce the number of config files. That gets back a bit to per-project vs per-package manifests. I had to run out at this point to go to another meeting, but I want to follow up with Ed about this as plans firm up. It would be nice to unify what Heroku needs and what App Engine needs, including support within the go command. I had suggested that the 'build plans' described in the doc might help but while App Engine has an explicit deploy command, Heroku is only git push, so that makes things more interesting. Definitely want to return to this when things are farther along. Russ