How do I pin the version of executables?

[stanleynguyen]

There seems to be no writeup on this matter in the documentations (aka README). I'm using vg with dep and my current way of installing executables is putting them in required field inside Gopkg.toml

[JelteF]

Good question! By putting them in required of Gopkg.toml you are already pinning them in Gopkg.lock. The version is only updated if you run vg ensure -update or vg ensure -update github.com/user/repo-with-executable. If you want to exclude some specific (major) versions you can use a [constraint] block in your Gopkg.toml, in the same way as regular dependencies with dep.

I'll keep this open to remember to add something about it to the README for this (probably a link to dep docs).

[stanleynguyen]

@JelteF Thanks for the response 👍 However, I don't think this [constraint] strategy will work in the long run because according to dep README, dep prune is going to be absorbed into dep ensure. So unless you import it, all constraint package will be pruned, am I right? so there should be a way for me to do this in vg I feel

[JelteF]

I'm asking @sdboyer about this on slack to confirm, but I'm quite sure everything that is in the required list won't be pruned. Because that's the way you can insert packages in the dependency graph that are not actually imported (as far as I know).

[JelteF]

I got a response in the #vendor slack channel:

I just tried it myself to see how dep prune behaves with required executable. So, I created a new project and added github.com/golang/dep/cmd/dep package in required. And then I ran ensure. The whole dep repo was downloaded to vendor/. Then I ran prune, and it cleaned all the packages that are not required by github.com/goland/dep/cmd/dep package. And then I tried building dep from what was left in vendor, and it worked. Also, when the require is added to the lock file, dep adds a list of all the packages the required package uses. And this list of project packages is used by prune to create a list of packages to keep. So, if you add the proper package name of the executable, it's safe. Also, you're right about using constraint to set version of a required package.

So it will keep working fine even with prune. As long as you put the actual full path to the executable package, so github.com/golang/dep/cmd/dep instead of github.com/golang/dep. Luckily, you already should do that, because otherwise vg doesn't know which package to install.

[sdboyer]

confirming what was verified experimentally - required are equivalent to an import from a pruning perspective. wouldn't be much point in them otherwise ☺

[stanleynguyen]

Thanks @JelteF @sdboyer It's clear to me now 👍