Thank you.

It makes me weep when I hear gophers telling me to vendor all my dependencies. That is insane. Completely insane.

Actually what is insane is to have your production code do anything else. "pip install foo" and similar schemes open your code up to the following problems:

- incompatibilities that were introduced in the version 1.2.1 while you've only tested your code with 1.2

- the host is down so you can't compile your own code because your dependency is not available

- the host is hacked and "foo" was replaced with "malicious foo"

- exponential increase of testing (you really should test with all version of your dependencies you use)

Ultimately, I don't understand the doom and gloom point of view. C, C++, Java, C# etc. programmers have been pulling dependencies in their repos for ages. In my SumatraPDF I have 12 dependencies. I certainly prefer to manually update them from time to time than to have builds that work on my machine but fail for other people or many other problems that are a result of blindly pulling third party code.

None of the things you listed are problems. The other comment demonstrates solutions to all of them, and I do not understand your fourth bullet point in context at all.

> C, C++, Java, C# etc. programmers have been pulling dependencies in their repos for ages.

I'm not making this up: in my career, I have never worked on a project where this is the case, and I've worked for shops that write in three of those languages.

> I certainly prefer to manually update them from time to time than to have builds that work on my machine but fail for other people

That's your choice, and it's a little bit different because I'm assuming "other people" are end users -- those that want to recompile SumatraPDF from source for some bizarre reason -- not developers. Fixing a broken build is a skill that every developer should have, but not an end user. Once I learned how to write software, I never came across a situation as an end user compiling an open-source Unix package that I could not solve myself.

The opinion I'm sharing here is related to developing on a team, not distributing source for end-user consumption. It sounds like you don't develop SumatraPDF with many other people, either. Nothing like merge failures on a huge dependency that I didn't write to ruin a Monday.

Also, wait, SumatraPDF is built with dependencies in the codebase? What if a zero-day is discovered in one of your dependencies while you're on vacation for a month; what do distribution maintainers do? Sigh? Patch in the distribution and get to suffer through a merge when you return?

> C, C++, Java, C# etc. programmers have been pulling dependencies in their repos for ages.

The first time I worked on a C# project started in an age where nu-get was not widespread, I saw with dismay a "lib" directory with vendored DLLs. It does happen.

Why dismay?

Many reasons:

- Binary artifacts under version control is no-no for me, unless we're talking assets. Third-party libraries are not assets. - Where do these DLLs come from? How do I know it's not some patched version built by a developer on his machine? I have no guarantee the library can be upgraded to fix a security issue. - Will the DLLs work on another architecture? - What DLL does my application need, and which ones are transitive dependencies?

That's many questions I shouldn't have to ask, because that's what a good package management system solves for you.

Spot on. We had this problem taking on some legacy code during a round of layoffs. They had checked in /their own/ DLLs from subprojects. It turned out that one DLL had unknown modifications not in the source code, and another had no source at all.

Another problem was that by building the way they had, they'd hidden the slowness and complexity of the build - including the same code from different branches via a web of dependencies, and with masses of unused code. They never felt this pain, so had no incentive to keep the code lean.

If you don't trust your developers, then you've got bigger problems.

Sure. But at the same time, if you make it a policy to forbid nailguns at the workplace, you have less people shooting themselves in the foot while you're not looking.

Great unless you're a home construction business.

Anyway, this analogy isn't helping anyone. You think libs in source control is a problem because some people might not do it properly. I'm contending that there's nothing wrong with libs in source control--there's something wrong with letting people who might not do it properly near your source control.

There are clear benefits from having a package manager (if anything, pesky things like version numbers, direct dependencies, etc are self-documented). In addition, it does prevent people from taking shortcuts, and even good people take shortcuts when the deadline is short enough.

But if you didn't write the dependency (and thus presumably don't commit to it), why would there be a merge conflict?

As for upstream maintainers rebuilding your package, I don't see how having to update a submodule is vastly different from updating the relevant versions in a file. Both seem like they'd take mere seconds.

It's not like you're writing gotos straight into library code, it's merely a bookkeeping change. You're just importing everything into your repo instead of referring to it by ambiguous version numbers. In the end, the code written and the binary produced should be identical.

- you can freeze the version: foo==1.2.1

- you don't need the internet to install dependencies. There are many options e.g., a locally cached tarball will do (no need to download the same file multiple times). Note: your source tree is not the place to put it (the same source can be built, tested, staged, deployed using different dependencies versions e.g., to support different distributions where different versions are available by default)

- if your build infrastructure is compromised; you have bigger problems than just worrying about dependencies

- you don't need to pull dependencies and dependencies of dependencies, etc into your source tree to keep the size of the test matrix in check even if you decided to support only a single version for each your dependencies.

As usual different requirements may lead to different trades off. There could be circumstances where to vendor dependencies is a valid choice but not due to the reasons you provided

> - incompatibilities that were introduced in the version 1.2.1 while you've only tested your code with 1.2

Which is why you pin dependencies to specific versions.

> - the host is down so you can't compile your own code because your dependency is not available

Which is why you have (caching) proxy and use mirrors.

> - the host is hacked and "foo" was replaced with "malicious foo"

Which is why you use GPG signing. (sadly, Python lacks in this respect).

> - exponential increase of testing (you really should test with all version of your dependencies you use)

Which is why you only use a specific version.

No really! Go isn't like other languages. You have to think differently. Please try it!

There's no such thing as, say, Maven binary dependencies for Java. If you don't check in the source code for your dependencies, your team member won't get the same version as you have and builds won't be reproducible. You won't be able to go back to a previous version of your app and rebuild it, because the trunk of your dependencies will have changed. By checking in the source code you're avoid a whole lot of hurt.

Checking in source is okay because Go source files are small and the compiler is fast. There isn't a huge third-party ecosystem for Go yet.

> There's no such thing as, say, Maven binary dependencies for Java.

I'm saying there should be, but not necessarily the same thing. That's my entire point.

I'm also not a fan of the "you have a dissimilar opinion to mine, so obviously you've never used Go properly" attitude in this thread. One way to read your last is that I've never used Go at all, though I'm giving you the benefit of the doubt and assuming you meant used Go properly. Either way, I don't get the condescension of assuming I'm unaware of everything you're explaining to me simply because I have an opinion that is different than yours. Especially since half of your comment is repeating things to me that I said earlier.

Maybe it sounds like condescension. I was in the same place at the beginning. No exceptions? No generics? Heresy. How dare you Go people ignore my many years of experience? I wrote a few rants to the mailing list, which were basically ignored.

The reason I assume you haven't used Go much is that your examples of problems with checking stuff in aren't examples of problems happening in Go. It's an analogy with other languages and other environments. Such arguments don't seem to get very far.

Maybe it won't scale and something will have to give. I expect the Go maintainers will find their own solution when it happens, and it won't look like Maven or traditional shared libraries. (If anything, it might be by replacing Git/hg with something that scales better.)

Except this does not work for commercial software, which is expected to give you only packages.

Right, "go install" is for open source projects.

> There is absolutely no reason, however, to have the source code for a dependency in my tree, Go or not.

Disk space is cheap; much cheaper than time needed to fix something if it goes to hell and some remote repository isn't available.

Interestingly, the only ecosystem which suffers from such issues is Go.

You already have that in Javaland. It's called maven, and it allows you to change one number in one file to upgrade the dependency version. Clojure also has that with Leiningen.

I'm not entirely familiar with how go dependencies work, but does using git submodules for the dependencies with go make sense?

Almost. `go get` will not resolve your sub-moduled dependencies. It'll work well enough for developing your library, but will break when people try to consume your library (at least, without git cloning it)