Closed SimonBarendse closed 5 years ago
This has already been discussed and we decided against doing this because I don’t want these dependencies pinned. certifi is just root certificates, so ideally, you just grab whatever is latest. If it’s pinned, that’s potentially a security risk.
And the errors package won’t change.
I'm assuming it's not possible to pin errors without pinning certifi? (re #226)
Not afaik. I also think pinning in general as a module ourselves is a bad idea. I'm not sure if there's a better way to handle this with loose versioning like every other sensible package manager out there. Ideally we'd declare a range that we're compatible with and not lock dependencies. I don' tknow how someone pulling in our package would ever support that if we lock things. It's very likely that our lock would conflict with their lock.
@mattrobenolt Do you mean with loose versioning that a patch or minor upgrade can be used instead of the exact given dependency?
This is the case with go modules. The version in go.mod is the minimum version to be used. Ideally this would be indicated using semver, because that makes it possible to reason about compatibility. With pseudo-versions (those commit timestamps + hashes) the commit timestamp is used to determine what version is the minimum version to be used (minimum version is the newest).
You can find more details here: https://github.com/golang/go/wiki/Modules#version-selection and here: https://golang.org/cmd/go/#hdr-Pseudo_versions
If a project wants to upgrade the version beyond the versions that are indicated by the dependencies, this can be done (e.g. with go get -u
). That new minimum version requirement is then added to the projects go.mod. See: https://github.com/golang/go/wiki/Modules#how-to-upgrade-and-downgrade-dependencies
This has already been discussed and we decided against doing this because I don’t want these dependencies pinned. certifi is just root certificates, so ideally, you just grab whatever is latest @mattrobenolt
I think it's possible to ignore a dependency from being pinned. See exclude
directive.
Created
go.mod
andgo.sum
files to use raven-go as a go module.