dd-trace-go icon indicating copy to clipboard operation
dd-trace-go copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Go Modules: Better Way To Prevent Upgrading Customer Deps

Open felixge opened this issue 3 years ago • 6 comments

Problem

The go.mod file in this repository currently contains only a single dependency despite the repository having many dependencies. @knusbaum told me this done because listing all of the dependencies with an explicit version could cause problems for customers which use lesser versions of these same dependencies in their application. The minimal version selection algorithm of Go modules would implicitly upgrade them to newer version which could break their code.

This idiosyncratic usage of Go modules has confused new contributors, including myself.

Proposal

For now I'll follow-up with a PR for the CONTRIBUTING.md file to mention this issue and to recommend using git update-index --assume-unchanged go.* as a workaround for local development to avoid accidentally committing modified go.mod/go.sum files.

Going forward we can also use this issue to discuss the problem in general and perhaps come up with a better solution.

felixge avatar Jan 11 '21 09:01 felixge

cc @pmbauer @gbbr @knusbaum (just FYI, no action needed for now)

felixge avatar Jan 11 '21 09:01 felixge

PR for git workaround is ready: https://github.com/DataDog/dd-trace-go/pull/811

felixge avatar Jan 11 '21 10:01 felixge

What do you think of splitting this repo into multiple Go Modules? You can check how it is done in Go SDK for OpenTelemetry: https://github.com/open-telemetry/opentelemetry-go I have also started doing some work on a fork https://github.com/signalfx/signalfx-go-tracing/pull/67

pellared avatar Mar 22 '21 15:03 pellared

@pellared we've considered it, but since it's very easy to make a mistake and screw everything up, we've avoided. If we find strong reasons to go that way, I am still open to it as a possibility. We should outline the advantages and disadvantages of that to properly take it into consideration.

gbbr avatar Mar 22 '21 15:03 gbbr

@gbbr Might be worth checking how Google does it here: https://github.com/googleapis/google-cloud-go

pellared avatar Mar 22 '21 15:03 pellared

@pellared thanks for the link. It seems like they have separate go.mod files for some, but not all, sub-directories. I'll dig into this some more later, but the approach seems worth considering.

felixge avatar Mar 22 '21 16:03 felixge

This is resolved by #1188 and by our policy of having minimum required versions for our contrib dependencies (https://github.com/DataDog/dd-trace-go/blob/main/CONTRIBUTING.md#go-modules).

nsrip-dd avatar Mar 22 '23 16:03 nsrip-dd