0

I'm attempting to convert a project from govendor to dep. However, I'm finding one limitation in dep to make this impossible. In govendor, in the vendor.json file, I can have different packages from the same source have different revision hashes. Like this, for example:

{
    "checksumSHA1": "iYT7abLMy0Vfyy8nwoDZYirLrI4=",
    "path": "github.com/docker/docker/api/types",
    "revision": "deed26f7f0f9a9d279b8ac99389f204d9063d1a4",
    "revisionTime": "2018-03-29T10:06:29Z"
},
{
    "checksumSHA1": "jVJDbe0IcyjoKc2xbohwzQr+FF0=",
    "path": "github.com/docker/docker/api/types/blkiodev",
    "revision": "88c0317e23449d6ff730a1073f240586cbdfd4ba",
    "revisionTime": "2017-08-23T07:13:08Z"
},

However, when I solve this with dep init, the final .lock file seems to have picked the latest version:

[[projects]]
digest = "1:3101683c3a63814ac8fe12a61fa01b728340f647c484d71573a31f041a68e7bc"
name = "github.com/docker/docker"
packages = [
    "api/types",
    "api/types/blkiodev",
]
pruneopts = "UT"
revision = "deed26f7f0f9a9d279b8ac99389f204d9063d1a4"

Unfortunately, having every package under github.com/docker/docker at the same revision doesn't work for us at all. Trying to make them all one revision brings up an entire cascade of revision changes to other transitive packages that we simply cannot tolerate at this time. (This example is pruned down, we have a lot of packages under github.com/docker/docker, and those packages are pidgeon-holed into three or four different versions).

So the question is, can dep handle having packages from the same "name" with different revisions? If so, are we stuck forever with govendor? That would make me personally unhappy because govendor is... uh... challenging... (it's probably how we got into this bad place)

Thanks in advance for all the help!

Adan Sandoval
  • 436
  • 1
  • 6
  • 18
jwells131313
  • 2,364
  • 1
  • 16
  • 26
  • Having different versions of different packages within the same library seems dangerous at best. Does docker actually provide any compatibility guarantee for that kind of usage? This seems like something I would go to great lengths to avoid, at least until module support is finalized in Go 1.11. – Adrian Aug 16 '18 at 16:34
  • Tell me about it. It seems absolutely barmy to me. But this is where I'm at. I can't move to dep because of this limitation, because when I try all hell breaks loose when we use the same packages revision for everything – jwells131313 Aug 16 '18 at 16:38

1 Answers1

1

So the question is, can dep handle having packages from the same "name" with different revisions?

No.

Volker
  • 40,468
  • 7
  • 81
  • 87
  • So... thus we are stuck with govendor until we can get our packages in agreement? And follow up question, will the new dependency system (vgo: https://github.com/golang/go/wiki/vgo) be able to handle this case? – jwells131313 Aug 16 '18 at 18:26
  • Go 1.11 will allow to have several major (!!) version of one package in one build. – Volker Aug 16 '18 at 19:46