cmd/go: "go install" ignores vendor folder #48332
Comments
|
That feels like this is an oversight, with the official Modules proxy being unable to guarantee that all packages it cached will remain cached forever. Considering that, vendoring is the only mechanism we have for 100% reproducible builds, with it being especially important for tools that choose to be distributed this way and not precompiled and distributed via the OS's package manager. |
|
This is working as intended, though it looks like it needs to be documented better. Neither https://golang.org/ref/mod#go-install nor
I understand that doesn't really solve your problem though. I'd suggest one of the following solutions:
|
|
Change https://golang.org/cl/349590 mentions this issue: |
For golang/go#48332 Change-Id: I3e1b6228ce2ef6c78b851bffb79b48e9ac06aad0 Reviewed-on: https://go-review.googlesource.com/c/website/+/349590 Trust: Jay Conrod <[email protected]> Run-TryBot: Jay Conrod <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Bryan C. Mills <[email protected]>
|
Change https://golang.org/cl/349591 mentions this issue: |
For #48332 Change-Id: I708eb3e8f3f386f03210b7117d9ab8b0be2125bb Reviewed-on: https://go-review.googlesource.com/c/go/+/349591 Trust: Jay Conrod <[email protected]> Run-TryBot: Jay Conrod <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Bryan C. Mills <[email protected]>
|
@jayconrod can you point to the document where that was discussed? That's the distribution command for many applications, that cannot be what we intend. :( |
|
@theckman As @mvdan pointed out, this is mentioned in #40276. We definitely thought about it. Please read through the design doc and the discussion there. Supporting vendor directories would require a completely different implementation than what any other module-aware subcommand does, including |
|
@as I needed the same to work in my project. Saw this issue created by you. |
For golang/go#48332 Change-Id: I3e1b6228ce2ef6c78b851bffb79b48e9ac06aad0 Reviewed-on: https://go-review.googlesource.com/c/website/+/349590 Trust: Jay Conrod <[email protected]> Run-TryBot: Jay Conrod <[email protected]> TryBot-Result: Go Bot <[email protected]> Reviewed-by: Bryan C. Mills <[email protected]>
See golang/go#48332 for background. Calling `go install <package>@<commit>` bypasses the local `go.mod` dependency versioning and also ignores dependencies in the `vendor` directory. To address this we must add a file that imports the packages we intend to install - it only needs to import them not do anything else with them. With that done, calling `go install <package>@<commit>` and then `go mod vendor` will properly add the package and its dependencies to the `go.mod` file, `go.sum` file, and `vendor` directory. Finally, future calls must be in the form `go install <package>` and then the package and dependencies will be looked up using the local settings.
**Desired Behavior** * Installed tools versions are locked the versions of installed tools to specific versions * Versions of the dependencies used by installed tools are controlled by `go.mod` and `go.sum` **Actual behavior** The Dockerfile includes tool installations locked to a specific commit by referencing that commit in the command `go install <package>@<commit>`: https://github.com/GoogleContainerTools/kaniko/blob/24846d22b11f20edc03dff7ac3b3959019969873/deploy/Dockerfile#L25-L32 However, this form of the `go install` command bypasses the local `go.mod` dependency versioning and also ignores dependencies in the `vendor` directory. Instead it goes to the project commit referenced and downloads the versions of the dependencies listed in that external package and also uses those at runtime. This documented but easily overlooked behavior. See golang/go#48332 for background. **Proposed fix** To address this we must add a file that imports the packages we intend to install - it only needs to import them not do anything else with them. With that done, manually calling `go install <package>@<commit>` will properly add `<package>` and its dependencies to the `go.mod` and `go.sum` files. Then calling `go mod vendor` will update the `vendor` directory to include the updated dependency. In both calls the dependency versions in `go.mod` will take precedence and can be modified if needed. Finally, future scripted calls must be in the form `go install <package>` so that `<package>` and dependencies will be looked up using the local configuration. **Side effects of proposed fix** * Installed tools and their dependencies are are included in the `vendor` directory - `Docker-slim` is less slim due the additional vendoring, but that scenario is not built by Verta.
The
go installcommand ignores myvendorfolder. This behavior differs fromgo get.Below is a command line utility with a vendor folder.
When run, the output suggests it is downloading existing content redundantly.
The
go.mod,go.sum, andvendorfolder exist and are configured. This behavior is surprising and prevents easy packaging of versioned command line tools using go modules, especially in a locked down environment where packages are hosted on an air gapped or heavily firewalled network.What did you expect to see?
What did you see instead?
/cc @bcmills
The text was updated successfully, but these errors were encountered: