Vendor pruning

[sdboyer]

NB: keep in mind that the we see vendor/ as a temporary solution, and expect to eventually move to some newer, better version of GOPATH that largely obviates the need for it.

Currently, dep naively copies dependent repositories into vendor/ in their entirety. This may produce a vendor/ directory with a lot of unnecessary files, and many projects relying on existing community tools use some technique to prune out unneeded files.

It is unlikely that we could develop a pruning solution that would be as aggressive as every user wants, while still being safe for all other users. However, we would like to establish baseline pruning behavior that is safe for everyone, so that dep can perform it unconditionally, or with a minimum of necessary user input. If nothing else, this has performance benefits: if dep does the pruning, then it's possible for us to implement optimizations to simply avoid copying files that would later be removed.

There are a few, not fully orthogonal, classes of pruning we might consider:

• Removing nested vendor/ directories. This is required for correct builds, and dep will always do it.
• Removing by build tag. Files with a particular build (or os/arch) tag could be pruned, if the user explicitly requests it in the manifest. (Note that this would not affect whether they show up in lock.json - only whether they're pruned from vendor.)
• Removing unused packages. dep keeps track of the individual packages that are necessary to build (either imported by code, or required in the manifest), and could selectively remove those that are not needed. There are sub-considerations here:
  • Should packages explicitly ignored in the manifest be pruning or preserved?
  • Should packages/directories be preserved if they contain non-.go files? What types of files?
• Removing unnecessary files. Similar to the previous, should certain types of files be pruned out of vendored dependencies?

There's some debate as to whether removing files may be a violation of some software licenses. Getting clarity on this question would be ideal; if we can't, then we'll likely have to make additional pruning behaviors optional in order to avoid having dep blacklisted by legal departments.

Finally, pruning is intimately linked to how we approach the problem of vendor verification (#121).

Note that the logic for writing out the dependency tree lives in gps, and is likely to remain there. This issue is to discuss what the behavior and options should be; implementation will happen over there.

[kardianos]

keep in mind that the committee sees vendor/ as a temporary solution, and fully expects to eventually move to some newer, better version of GOPATH that largely obviates the need for vendor/.

This is news to to me. How do you plan to support checking in deps for those who want this?

[kardianos]

There are a few, not fully orthogonal, classes of stripping we might consider:

In govendor a popular approach has been to specify build tags to ignore. If you don't have any ignore build tags then you can keep the repo as is for those who wants that. It also serves to ignore appengine special files or other unsupported platforms.

[sdboyer]

keep in mind that the committee sees vendor/ as a temporary solution, and fully expects to eventually move to some newer, better version of GOPATH that largely obviates the need for vendor/.

This is news to to me.

Yeah, this is a newish thing. It's something we discussed within the committee, but I'm making it explicit here after discussions with @rsc .

How do you plan to support checking in deps for those who want this?

I have another draft issue I'm working on where we can explore that. Hopefully I'll get it up today.
Let's discuss specifics like this over there.

[sdboyer]

In govendor a popular approach has been to specify build tags to ignore. If you don't have any ignore build tags then you can keep the repo as is for those who wants that. It also serves to ignore appengine special files or other unsupported platforms.

Yeah, that makes a ton of sense, and I think it's complementary to the other approaches. I'm now reminded that @freeformz has definitely brought this up in past discussions, too.

Updating the original issue to include this...

[olekukonko]

Removing by build tag. Files with a particular build (or os/arch) Will this not affect cross compilation?

[jessfraz]

It would, I don't think that level (os/arch tags) of pruning should be on by default, but pruning of unused packages should.

[olekukonko]

@jessfraz I couldn’t agree more ...

[sdboyer]

@olekukonko for sure, and that's what that's intended to mean - if we add such a feature, then the user could choose to enable pruning out dependencies entailed solely by a particular build tag.

To be clear, though, this would only affect the deps that actually get written out to vendor/. It would not have any bearing on the way that dependency selection works - the plan there remains to always consider all os/arch/release/build tags, and to record the resultant set in lock.json.