-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconsidering GX #5850
Comments
cc @ipfs/go-team @libp2p/go-team |
@jbenet pointed out that go modules don't help if a dependency gets removed from github. Supporting that use-case without gx would require something like whyrusleeping/gx#200. This is somewhat mitigated by the fact that we cut full source releases but it's still not ideal. |
We can maintain forks in some org, like we already do in https://github.com/gxed. As for the proposal itself I'd say it's worth trying given how much time I waste on fiddling with gx deps, evan with all the tools. And then there is the fact that gx is rather unapproachable for outside contributors. |
While we can maintain forks, we'd have to make go-ipfs use these forks in imports which will cause problems for packages not using these forks (unless I'm misunderstanding the suggestion). |
I believe so.
May align with our upcoming efforts on package managers.
I am a fan of Using a single interface to manage packages for multiple languages is a big plus in my book. That being said, I'm not attached to Highlighting this:
|
This is perhaps a "side" issue to this question, but I am curious -- right now, the use of How do people feel about the use of 3rd party librarys? For example, as someone who likes to write tests, I was tempted to reach for https://github.com/stretchr/testify -- but didn't want to go the rigamarole of the debate about using it and bringing it into the project with As someone coming from Ruby, JS, Elixir and other scripting oriented languages, I'm used to bringing tools and packages I didn't write. (and no one on the team wrote) But also, I know go is systems programming oriented and people generally use external 3rd party libraries less in these languages. Anyway, the use of go modules would unlock the ability to use 3rd party libraries more easily, so I wonder how folks feel about this? |
We might be able to use the gomod
|
We can pretty easily import external packages into gx using the The tricky part here is really dealing with version conflicts. When you import a package into Just to be clear, the new gx lock system is designed to completely fix this issue. With the gx lock system, you should never have to explicitly import a dependency into
The key part here is that dependencies don't have to be modified. However, I submitted this issue because the current gx lock system is missing some key components at the moment:
To change this situation, we'll need someone completely dedicated to making
At the moment, I don't know of anyone who can fill that role. |
i completely agree with @Stebalien that this is a full-time job, and is something we should hire for if we want to make it a focus. i also agree @djdv that this is something we should hire for. imo our lives would be made easier by:
|
Code being removed from GitHub is an issue that can strike any project, and reasonably exceeds the scope of project development I think (despite this project's long-term goal to make this a non-issue, it remains a goal and not a requirement). The PR #5849 is on track to demonstrate that Go modules can operate and pass in all the CI environments. |
I agree with everything except this. The argument "everyone else does this" doesn't really hold when there's something we can (and currently do) to avoid it. On the other hand, frequent source releases and/or forking projects we depend on (linking them in with the "replace" directive) may be sufficient. |
There seems to be broad consensus that:
It seems to me there are two separate decisions at this point:
The answer to question 1, for the moment, seems relatively clear -- go-ipfs for the foreseeable future is best served by switching to go modules, as it's like to increase dev speed for existing developers and reduce cognitive load for new developers. (with an initial speed bump to make the switch) The answer to question 2 is less clear, because at minimum, IPFS's overall roadmap puts package manager adoption as our top 2019 priority, so abandoning GX feels contrary to that. The more I think about it though, the more I think that question 2 is a decision that needs @momack2 or @daviddias input, cause it's more of a "overall goals for IPFS + Protocol Labs" question than a technical question. (it might also be that GX just get's prioritized in our OKR planning in a way it hasn't before, and doesn't need a seperate FTE? I dunno... but want to also @eingenito in this discussion since he's the OKR guru ATM) |
This is a fantastic change! Go modules are amazing. I think You all (protocol labs) have built up a very solid community and perhaps this can partially be solved by reaching out to the community for assistance with this issue? You all have a lot on your plate, and I'm sure there's people in the community that would be willing to help. I know I myself would be happy to help in whatever way. |
Ok, I'll break a lance in favour of Gx, despite all the painfulness that it causes to maintainers on libp2p and go-ipfs land, myself included. At certain level, it would make me a bit sad to drop Gx because:
Moving everything and everyone to Go modules and dropping Gx will not be a light task. I don't have an idea of how much it will cost to "fix Gx", but we might as well prioritize it so that we can have Go modules and Gx side to side without having to drop Gx first? If we did not have to "bubble up" Gx deps, would Go modules provide any advantage to consider their adoption (the inflexible dependency resolution provided by Gx is also a powerful glue which provides a clear snapshot of the whole ecosystem at the time of a build). |
I agree, I'd much prefer to keep GX as it dogfoods our own tech. However, the reality is that someone needs to become the GX maintainer for it to be usable. That's not just dedicating a little time to make it better. We need someone to really own it. Really we don't actually need someone to own
That's only half of it; that's the pain seen by people trying to integrate go-ipfs. The other half is the pain and wasted time we feel whenever we have to bubble an update through the entire dependency tree.
I think this will be entirely eclipsed by happy users/contributors. Creating a good package manager with a good UX is hard but GX has demonstrated that content addressing in package managers works.
Regardless of what we do with gx, we need to support go modules.
Go modules actually provide the same guarantee. Once you update a version constraint on a dependency or a transitive dependency:
|
From the libp2p project perspective, our main goal is gaining broader adoption. Every non-standard tool or concept that users or aspiring contributors encounter raises their cost to adopt libp2p. So, speaking purely from the perspective of getting libp2p adopted by 10+ major open source projects in 2019, |
Its exciting that we're finally at the point where recommended go tooling can give us most of the same guarantees as gx. In an ideal world, I'd like to be able to use gx to fulfil dependencies for go modules (my favorite feature is not having to download the same code multiple times), but given that I have no time to dedicate to maintaining gx and giving it the features it needs to not be oboxious, switching to go modules seems like the right approach. Onwards! |
I suggest #5849 be reopened, and that git tagging of releases be resumed. The tagging, and go.mod support in dependencies are not blockers to immediate adoption. |
I'd like to fix the dependencies first. Without go-mod, we have no way to specify minimum version constraints which will make reliably updating dependencies painful and error prone. |
@warpfork and @daviddias who I think might either have ideas on folks/communities who might make good dedicated gx maintainers or other ways we can support the work to mitigate this velocity damper in the short term. |
I have tricky feels on this. On the one hand, I 100% am on board with the idea that it's important to aim for a future where we have package managers that DTRT while being powered by content-addressable decentralized forget-nothing secure goodness. On the other hand, I think that's an incredibly complicated design space. (Right off the bat: "package" and "package manager" are powerfully ambiguous terms. I just came from a roundtable at the Reproducible Builds Summit about trying to define the word "package": we couldn't; it carries a lot of concepts and means different things in different contexts... and our experience so far in discovering that "UX is hard" with On the third hand, it's exciting that the Go community tools are starting to offer snapshotting and integrity guarantees. Given this, and given the new-contributor-friction argument... on the whole, I'm swayed to agree that yes, perhaps we should give go modules a shot. On the gripping hand: I have to confess, I use git submodules for this on my personal projects and continue to regret nothing. Source control workflows for controlling source are surprisingly adroit. In summary: I'm reserved about whether the Go modules system will be perfect for ages (probably not; nothing is), and definitely not effervescent with joy about Yet Another for-some-reason-language-specific package manager being part of my life... but those are reservations, not refutations. If the consensus is that using the Go modules system is on the whole going to be best for I really want to continue the research into content-addressable-native and reproducible-by-design package managers. If we step away from using |
From the perspective of go-filecoin: we would love to move away from gx. It's a significant drag on velocity and clearly not something that we are capable of supporting at the level it deserves/requires. |
Are we ready to close this issue? To summarize I'd say there's general consensus that, all factors being considered, we should switch to go modules, and begin the work to do so asap. |
From the libp2p perspective, we have discussed this on several occasions with a general consensus that we should experiment with go mod, and find the right hooks to enable go mod to pull packages from IPFS via (proxies were suggested), and to use merkle hashes to refer to releases and authenticate releases. Reading the go mod plans for 2019, I feel even more confident about this: https://blog.golang.org/modules2019 It’s worth keeping an eye on how module authentication and mirroring progress. We could integrate IPFS via the mirroring API, create a multicodec to encapsulate their hashes, and use their indices to push all public modules to IPFS, much like the js team has done with npm. It would be great to designate a person to actively participate in the design process upstream, and to advocate for what we need in terms of APIs, hooks, etc. |
This was my teams biggest worry when we started working with |
Definitely not ready to close this issue yet. Thanks for the input Raúl and jvsteiner. |
Thanks to @Stebalien for setting a tone on this potentially-contentious topic. I've talked with @whyrusleeping on this issue at length, and lived with When I encountered I do want to point out one thing though: Big, ambitious projects like IPFS derive great benefit from needing to solve real problems for real people. For what it's worth, I think there's only one major problem with gx in go land: it doesn't follow go idioms. In a world before go modules, it wasn't really an option for gx. Now that go modules exist I think someone should take a shot at making it work, even for a day, before calling this. If someone can get Anyway, I'd fully support whatever is decided here. Go modules will make our life easier. I will be sad to see gx go, and would love to see it return. I want to say a big thank-you to @whyrusleeping. The fundamentals of gx are fantastic. I may lose my shit every time I see all that gak in |
There's no need to switch to or make go mod support available across all projects simultaneously. Because of minimum version selection, you can consume repos without a go.mod that later gain one without concern. When updating to to a new version of a dependency that has subsequently gained go.mod support, any new minimums will be applied appropriately in the dependent project. For this reason it should be possible to start adopting go.mod project by project as the need arises. |
Please see: #5850 (comment). |
I continue to receive feedback that this is an important issue to discuss and potentially move forward with. I would recommend that we look at this either in an extended weekly core team sync or during our next in person meeting (hopefully in 2019!) and develop a clear plan for moving forward. |
It's also making it difficult for me to test changes to libp2p with respect to IPFS without changing my workflow to accomodate gx. @Stebalien has written a tool that allows use of go.mod over IPFS to support those users that truly require the non-UI aspects of gx. |
I am going to kick off migrating any |
Should we close this as #6038 got merged? |
I think so. |
IPFS migrates from gx to go mod for dependencies. ipfs/kubo#5850 Publishing to gx-go also used to be combined with updating git tags but that is no longer the case. And after removing gx, they renamed tags to gx/x.x.x to not mess with go mod's dependency solver.
IPFS migrates from gx to go mod for dependencies. ipfs/kubo#5850 Publishing to gx-go also used to be combined with updating git tags but that is no longer the case. And after removing gx, they renamed tags to gx/x.x.x to not mess with go mod's dependency solver.
We can use go module with ipfs GOPROXY. |
Current State
The current plan is to:
go.mod
support.gx
defer to the language's package manager for dependency resolution (when requested by the user). Take a look at Making GX pleasant to use whyrusleeping/gx#179 starting at Making GX pleasant to use whyrusleeping/gx#179 (comment).There has also been some more recent discussion (whyrusleeping/gx#200) about potentially creating a go-mod proxy that uses IPFS and using that instead or in addition to gx.
The issue currently blocking all of this is whyrusleeping/gx#215. Once that is resolved, we can adopt both systems in parallel.
Unfortunately, that's only the first step. The next step would be implementing the improvements to
gx
mentioned in whyrusleeping/gx#179 (comment). Without that, we can technically usegx
along side go modules but we'll still have to manually keep the two systems in sync.Why GX?
The primary arguments (that I know of) to use GX are:
go.sum
file that we could check in to the repo to provide the same security, as far as I can tell.gx
uses IPFS. We'd like to eventually makegx
into a versatile package manager that can be used by multiple languages. Using IPFS also brings along perks like being able to work in disconnected networks.Proposal
So, this brings me to my final point. Given that:
go.sum
(as gx exists today, given that we're not authenticating gx's "lastpubver" file in any way).I'd like to seriously consider:
gx
until it can live (usably) along side go modules.The key questions we really need to answer is:
go.sum
file) provide equivalent functionality and security asgx
(as it exists today)?I know this will be a polarizing topic but please be constructive and rational.
The text was updated successfully, but these errors were encountered: