getsentry / raven-go

Sentry client in Go
https://sentry.io
BSD 3-Clause "New" or "Revised" License
561 stars 148 forks source link

Make raven-go a go module #224

Closed SimonBarendse closed 5 years ago

SimonBarendse commented 5 years ago

Created go.mod and go.sum files to use raven-go as a go module.

mattrobenolt commented 5 years ago

This has already been discussed and we decided against doing this because I don’t want these dependencies pinned. certifi is just root certificates, so ideally, you just grab whatever is latest. If it’s pinned, that’s potentially a security risk.

And the errors package won’t change.

dcramer commented 5 years ago

I'm assuming it's not possible to pin errors without pinning certifi? (re #226)

mattrobenolt commented 5 years ago

Not afaik. I also think pinning in general as a module ourselves is a bad idea. I'm not sure if there's a better way to handle this with loose versioning like every other sensible package manager out there. Ideally we'd declare a range that we're compatible with and not lock dependencies. I don' tknow how someone pulling in our package would ever support that if we lock things. It's very likely that our lock would conflict with their lock.

SimonBarendse commented 5 years ago

@mattrobenolt Do you mean with loose versioning that a patch or minor upgrade can be used instead of the exact given dependency?

This is the case with go modules. The version in go.mod is the minimum version to be used. Ideally this would be indicated using semver, because that makes it possible to reason about compatibility. With pseudo-versions (those commit timestamps + hashes) the commit timestamp is used to determine what version is the minimum version to be used (minimum version is the newest).

You can find more details here: https://github.com/golang/go/wiki/Modules#version-selection and here: https://golang.org/cmd/go/#hdr-Pseudo_versions

If a project wants to upgrade the version beyond the versions that are indicated by the dependencies, this can be done (e.g. with go get -u). That new minimum version requirement is then added to the projects go.mod. See: https://github.com/golang/go/wiki/Modules#how-to-upgrade-and-downgrade-dependencies

mattes commented 5 years ago

This has already been discussed and we decided against doing this because I don’t want these dependencies pinned. certifi is just root certificates, so ideally, you just grab whatever is latest @mattrobenolt

I think it's possible to ignore a dependency from being pinned. See exclude directive.