Dependency Management: Vendoring: Explicitly tag all dependencies

[mcastelino]

Description of problem

Today we use https://github.com/golang/dep to manage the project dependencies. However we do do not explicitly constrain the dependencies. This means that dep will pull in the latest commit from the branch we specify.

This can result in issues when there are significant changes in the upstream repos (like new files being added). In such cases dep fails to pick up the new files.

The only solution to this problem is to prune vendor and the lock file and revendor all the dependencies.

This has the unfortunate side affect that we will end up pulling in newer versions of dependencies we may not want to pick up.

To solve this issue we need to explicitly specify our dependencies with the commit we want to pick up. This will ensure we be able to prune and revendor anytime we need to and be able to update a single dependency.

This can be done using dep constraints

https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md#constraint

/cc @jodh-intel @sameo

[mcastelino]

This should also address https://github.com/clearcontainers/runtime/issues/332

[jodh-intel]

Makes sense to me. @sboeuf - I thought we had used constraints for certain repos in the past?

Related to this: pinning ourselves to particular dep repo versions makes sense, but does anyone know of a tool that can check to see if newer updates for any repos contain security fixes for example? This could be a simple shell script calling a bunch of git commands but I wonder if there is something better out there...?

[sboeuf]

@mcastelino yes this makes sense too. And honestly that's the same than having the constraint on master branch but never do a dep ensure -update. @jodh-intel all the dependencies we are directly relying on are using master as a constraint I think. The ones with version constraints are the one pulled into by subpackages.