[tor-bugs] #33953 [Applications/Tor Browser]: Provide a way for easily updating Go dependencies of projects

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 22 13:44:58 UTC 2020 

#33953: Provide a way for easily updating Go dependencies of projects
--------------------------------------+--------------------------
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cohosh):

 One thing to keep in mind here is that the go module system pulls in a lot
 more dependencies than we actually need. This happens regardless of which
 of the 3 options above we go with, since they all use the go module logic
 to figure out what is needed.

 See #33761, where we recently removed a bunch of unnecessary dependencies
 from Snowflake. Upon a quick investigation, these extra dependencies come
 from at least the following places:
 - The dependencies are only needed for running tests
 - They are marked with `// indirect` in the `go.mod` file, meaning they
 are ''tentative'' dependencies. These could be dependencies of
 dependencies that don't have a `go.mod` file, are missing from their
 `go.mod` file, or are the result of an up or downgrade (see
 [https://github.com/golang/go/wiki/Modules#why-does-go-mod-tidy-record-
 indirect-and-test-dependencies-in-my-gomod here]).
 - The dependencies are required only for part of the code that's built
 with an option build constraint. This is what we ran into with Snowflake,
 where the quic dependencies (which are numerous) or only needed for a part
 of pion-webrtc that we don't use and isn't built by default.

 I think it's worth attempting to exclude go module dependencies that are
 not needed. You can see discussion on #33761 and #33745 on why we want to
 remove the quic dependencies for Snowflake specifically. However, this
 would require extra processing scripts for any of the 3 options above we
 decide to go with.

 The script for (2) could use some more work in addition to excluding
 unnecessary dependencies, like automatically mapping versions to git
 hashes, and integration into however we decide to structure the rbm
 projects (e.g., boklm's input_files idea).

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33953#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list