list tool support on front page

[rsc]

What tools understand vendor.json and can be expected to work with it? I don't actually know. I saw reference to Daniel's govendor earlier, which was the first I'd heard of it. I think maybe nut supports vendor.json. I thought godep did but now it looks like maybe it just supports the vendor/ directory tree, not vendor.json itself. Some clarity on what tools to use to try "vendor.json" out would help. Maybe it would encourage others to update their own tools to use it too.

[kardianos]

@rsc I suspect "kardianos/govendor" (previously "kardianos/vendor") is the only one that tries to track it.

Owen's nut had tentatively said he might make use it as a "lock" file and the toml file as human editable, but I haven't seen it move in that direction.

Godep has altered it's dep list file, but hasn't made moves to the vendor-spec as far as I know.

With the vendor folder experiment (no import path rewrites), the role of the vendor-spec is in my mind to record a package with a revision, and maybe a version, plus be in a format where other properties can be recorded too.

Other then just being different then what people might have written themselves, there appear to be two main issues:

1. Some want a human editable file as well that can specify versions up front.
2. Some want to work at the repository level rather then the package level. I've resisted this so far, perhaps I shouldn't.

[kardianos]

I've got a conversation with Edward who has worked on Godep and I am trying to understand the rational for Godep's spec file. I'll post here issues other tools has as I understand them.

[freeformz]

The gap, as I feel it exists anyway is:

1. The Go version that should be used to build code isn't recorded. The Godeps.json file records the version used during the last save operation as the GoVersion field.
2. The base package import path for the repo. The Godeps.json file records this as the top level 'ImportPath' field. W/o this a $GOPATH can't be constructed that places provided code into the proper location for building.
3. The package spec to install. Using godep I can "assume" (in the general case) that this is the same as the package spec(s) used for determining the packages to analyze for vendoring deps. The Godeps.json file records as the top level 'Packages` array.

w/o this data somewhere reproducible builds are impossible. I was hesitant to raise issues for these use cases as I feel that the vendor-spec's focus is on vendoring code, not enabling reproducible builds, of which vendoring is only part of.

[freeformz]

PS: I'd be happy to report issues if you disagree. My plan wrt godep was to wait to see what happens with the vendor-spec and probably adopt it for package meta, but either keep a Godeps.json file around somewhere else or since it's json, just add the keys godep/myself need directly to the file.

[kardianos]

@freeformz I wouldn't be against a complementary spec that can be overlaid on the vendor-spec that will contain enough meta-data to achieve reproducible builds. If we did decide to specify this, I would want to keep them separate. Some tools may decide to just use the vendor-spec, others will go further and also use the full reproducible-build-spec (a superset of the vendor-spec).

I would want buy in from others, but I think that would be a reasonable way to approach it.

[freeformz]

I'm fine with that although I'm not convinced it's worth specifying 3 fields. As it is the vendor-spec isn't all that different from the Deps keys in the Godeps.json file (canonical == ImportPath && revision == Rev).

On further inspection of the vendor-spec examples I'm not sure I could actually use the spec with godep w/o rewritting it to essentially be govendor + a few odd bits for repeatable builds. I will have to spend more time studying the implications of the vendor-spec.

[kardianos]

@freeformz Give me a day. It is slated for some changes. As previously stated, the arity of record is different between godep and vendor-spec.

[kardianos]

@freeformz I've made the changes, please examine to see if we can merge.

@rsc I haven't updated kardianos/govendor to use path and origin yet. After I have done so I'll add a new section for tools that implement this.

[freeformz]

@kardianos Link to a PR?

[kardianos]

Please examine the spec to see if we can merge what govendor and godeps writes down. The most recent commit is here: https://github.com/kardianos/vendor-spec/commit/eb61625c168347ca2b668b7a318dd9b379f7db28