[tor-bugs] #33953 [Applications/Tor Browser]: Provide a way for easily updating Go dependencies of projects
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 27 18:59:35 UTC 2020
#33953: Provide a way for easily updating Go dependencies of projects
--------------------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [comment:3 boklm]:
> Replying to [comment:2 cohosh]:
> > > 1) Use go mod vendor to vendor in the dependencies and then build
with -mod=vendor to use the vendor folder with the dependencies.
> >
> > How would this work? Would we have to pull from a separate snowflake
branch that has this vendor folder checked in? If we're going to pull all
the dependencies at once, I'd rather do something like option (3), since
it sounds like there's already a workflow present for something similar.
Maintaining the vendor directory sounds tricky.
>
> I think this can be done by adding a `go_mod_vendor` step, which will
use a container with network enabled and a snowflake source tarball (from
the same git clone) to run `go mod vendor` and generate a tarball which
will be used as `input_files` for the snowflake build.
That's one approach, yes. I had more the option in mind to do it like we
handle our Rust crates. One would update all the modules and then put them
into a .tar.bz2 file somewhere which then gets used during the build. I
don't like the idea of using just what `go mod vendor` gives us
automatically for building for each build but it seems you have addressed
that with your PoC. We'd have right now duplicated repos, though, due to
#33988, right?
> I have not tested it, and it probably does not work yet, but I think
this could look like this:
> https://gitweb.torproject.org/user/boklm/tor-browser-
build.git/commit/?h=bug_33953_go_mod_vendor&id=5e7c5b88bc22548262744f7ec435210ebfaed221
Okay, there is safeguarded with a sha256sum we calculate before using the
whole input, that's good. I still feel a bit uneasy with doing build X
while network access is allowed for building X. Because you should not
need to have network access when building. :) But one maybe could see it
more like fetching resources which we'd need to do anyway for building.
Another thing that I feel the `go mod vendor` version does not give us is
easy transparency regarding dependencies and what is used. You have,
however we construct the fetching of dependencies, usually a .tar.xz blob
and that's it while with the current setup (and boklm's improved one) it
makes it easier to see the updated repo changes and spotcheck things.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33953#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list