#33953: Provide a way for easily updating Go dependencies of projects --------------------------------------+-------------------------- Reporter: gk | Owner: tbb-team Type: enhancement | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-rbm | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by gk): Replying to [comment:3 boklm]: > Replying to [comment:2 cohosh]: > > > 1) Use go mod vendor to vendor in the dependencies and then build with -mod=vendor to use the vendor folder with the dependencies. > > > > How would this work? Would we have to pull from a separate snowflake branch that has this vendor folder checked in? If we're going to pull all the dependencies at once, I'd rather do something like option (3), since it sounds like there's already a workflow present for something similar. Maintaining the vendor directory sounds tricky. > > I think this can be done by adding a `go_mod_vendor` step, which will use a container with network enabled and a snowflake source tarball (from the same git clone) to run `go mod vendor` and generate a tarball which will be used as `input_files` for the snowflake build. That's one approach, yes. I had more the option in mind to do it like we handle our Rust crates. One would update all the modules and then put them into a .tar.bz2 file somewhere which then gets used during the build. I don't like the idea of using just what `go mod vendor` gives us automatically for building for each build but it seems you have addressed that with your PoC. We'd have right now duplicated repos, though, due to #33988, right? > I have not tested it, and it probably does not work yet, but I think this could look like this: > https://gitweb.torproject.org/user/boklm/tor-browser- build.git/commit/?h=bug_33953_go_mod_vendor&id=5e7c5b88bc22548262744f7ec435210ebfaed221 Okay, there is safeguarded with a sha256sum we calculate before using the whole input, that's good. I still feel a bit uneasy with doing build X while network access is allowed for building X. Because you should not need to have network access when building. :) But one maybe could see it more like fetching resources which we'd need to do anyway for building. Another thing that I feel the `go mod vendor` version does not give us is easy transparency regarding dependencies and what is used. You have, however we construct the fetching of dependencies, usually a .tar.xz blob and that's it while with the current setup (and boklm's improved one) it makes it easier to see the updated repo changes and spotcheck things. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33953#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs