Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Split sentry-go into multiple submodules #156

Closed
rhcarvalho opened this issue Jan 30, 2020 · 34 comments
Closed

Split sentry-go into multiple submodules #156

rhcarvalho opened this issue Jan 30, 2020 · 34 comments
Labels
Type: Breaking

Comments

@rhcarvalho
Copy link
Contributor

The topic has popped up in a few occasions. Some don't like to see a long list of indirect dependencies in their go.mod files.

#75 (comment)

#75 (comment)

#79
@rhcarvalho rhcarvalho mentioned this issue Jan 30, 2020
Closed
@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Jan 30, 2020
edited
Loading

@rur wrote in #75 (comment):

Overhead may or may not end up in the artifact but it will spam my project dependencies, which I care about.

Please read https://research.swtch.com/deps

``` +github.com/Joker/hpp v0.0.0-20180418125244-6893e659854a/go.mod h1:MzD2WMdSxvbHw5fM/OXOFily/lipJWRc9C1px0Mt0ZE= +github.com/Joker/jade v1.0.0/go.mod h1:efZIdO0py/LtcJRSa/j2WEklMSAw84WV0zZVMxNToB8= +github.com/Shopify/goreferrer v0.0.0-20181106222321-ec9c9a553398/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0= +github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= +github.com/aymerick/raymond v2.0.2+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g= +github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/eknkc/amber v0.0.0-20171010120322-cdade1c07385/go.mod h1:0vRUJqYpeSZifjYj7uP3BG/gKcuzL9xWVV/Y+cK33KM= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/flosch/pongo2 v0.0.0-20190707114632-bbf5a6c351f4/go.mod h1:T9YF2M40nIgbVgp3rreNmTged+9HrbNTIQf1PsaIiTA= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/gavv/monotime v0.0.0-20190418164738-30dba4353424/go.mod h1:vmp8DIyckQMXOPl0AQVHt+7n5h7Gb7hS6CUydiV8QeA= +github.com/getsentry/sentry-go v0.3.0 h1:6E+Oxq9CbT1kQrBPJ/RmWPqFBVS4CqU25RaMqeKnbs8= +github.com/getsentry/sentry-go v0.3.0/go.mod h1:Mrvr9TRhClLixedDiyFeucydQGOv4o7YQcW+Ry5vDdU= +github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3/go.mod h1:VJ0WA2NBN22VlZ2dKZQPAPnyWw5XTlK1KymzLKsr59s= +github.com/gin-gonic/gin v1.4.0/go.mod h1:OW2EZn3DO8Ln9oIKOvM++LBO+5UPHJJDH72/q/3rZdM= +github.com/go-check/check v0.0.0-20180628173108-788fd7840127/go.mod h1:9ES+weclKsC9YodN5RgxqK/VD9HM9JsCSh7rNhMZE98= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= +github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= +github.com/gorilla/schema v1.1.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/imkira/go-interpol v1.1.0/go.mod h1:z0h2/2T3XF8kyEPpRgJ3kmNv+C43p+I/CoI+jC3w2iA= +github.com/iris-contrib/blackfriday v2.0.0+incompatible/go.mod h1:UzZ2bDEoaSGPbkg6SAB4att1aAwTmVIx/5gCVqeyUdI= +github.com/iris-contrib/formBinder v5.0.0+incompatible/go.mod h1:i8kTYUOEstd/S8TG0ChTXQdf4ermA/e8vJX0+QruD9w= +github.com/iris-contrib/go.uuid v2.0.0+incompatible/go.mod h1:iz2lgM/1UnEf1kP0L/+fafWORmlnuysV2EMP8MW+qe0= +github.com/iris-contrib/httpexpect v0.0.0-20180314041918-ebe99fcebbce/go.mod h1:VER17o2JZqquOx41avolD/wMGQSFEFBKWmhag9/RQRY= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/juju/errors v0.0.0-20181118221551-089d3ea4e4d5/go.mod h1:W54LbzXuIE0boCoNJfwqpmkKJ1O4TCTZMetAt6jGk7Q= +github.com/juju/loggo v0.0.0-20180524022052-584905176618/go.mod h1:vgyd7OREkbtVEN/8IXZe5Ooef3LQePvuBm9UWj6ZL8U= +github.com/juju/testing v0.0.0-20180920084828-472a3e8b2073/go.mod h1:63prj8cnj0tU0S9OHjGJn+b1h0ZghCndfnbQolrYTwA= +github.com/k0kubun/colorstring v0.0.0-20150214042306-9440f1994b88/go.mod h1:3w7q1U84EfirKl04SVQ/s7nPm1ZPhiXd34z40TNz36k= +github.com/kataras/golog v0.0.0-20190624001437-99c81de45f40/go.mod h1:PcaEvfvhGsqwXZ6S3CgCbmjcp+4UDUh2MIfF2ZEul8M= +github.com/kataras/iris v11.1.1+incompatible/go.mod h1:ki9XPua5SyAJbIxDdsssxevgGrbpBmmvoQmo/A0IodY= +github.com/kataras/pio v0.0.0-20190103105442-ea782b38602d/go.mod h1:NV88laa9UiiDuX9AhMbDPkGYSPugBOV6yTZB1l2K9Z0= +github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= +github.com/klauspost/cpuid v0.0.0-20180405133222-e7e905edc00e/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/labstack/echo/v4 v4.1.10/go.mod h1:i541M3Fj6f76NZtHSj7TXnyM8n2gaodfvfxNnFqi74g= +github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= +github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.7/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ= +github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw= +github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/pingcap/errors v0.11.1/go.mod h1:Oi8TUi2kEtXXLMJk9l1cGmz20kV3TaQ0usTwv5KuLY8= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= +github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4= +github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= +github.com/valyala/fasthttp v1.4.0/go.mod h1:4vX61m6KN+xDduDNwXrhIAVZaZaZiQ1luJk8LWSxF3s= +github.com/valyala/fasttemplate v1.0.1/go.mod h1:UQGH1tvbgY+Nz5t2n7tXsz52dQxojPUpymEIMZ47gx8= +github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio= +github.com/xeipuuv/gojsonpointer v0.0.0-20190809123943-df4f5c81cb3b/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/xeipuuv/gojsonschema v1.1.0/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= +github.com/yalp/jsonpath v0.0.0-20180802001716-5cc68e5049a0/go.mod h1:/LWChgwKmvncFJFHJ7Gvn9wZArjbV5/FppcK2fKk/tI= +github.com/yudai/gojsondiff v1.0.0/go.mod h1:AY32+k2cwILAkW1fbgxQ5mUmMiZFgLIV+FBNExI05xg= +github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82/go.mod h1:lgjkn3NuSvDfVJdfcVVdX+jpBxNmX4rDAzaS45IcYoM= +github.com/yudai/pp v2.0.1+incompatible/go.mod h1:PuxR/8QJ7cyCkFp/aUDS+JY727OFEZkTdatxwunjIkc= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180911220305-26e67e76b6c3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190813064441-fde4db37ae7a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/tools v0.0.0-20181221001348-537d06c36207/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= +gopkg.in/go-playground/validator.v8 v8.18.2/go.mod h1:RX2a/7Ha8BgOhfk7j780h4/u/RRjR0eouCJSH80/M2Y= +gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= ```

@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Jan 30, 2020
edited
Loading

@leighmcculloch wrote in #75 (comment):

The large dependency list of this SDK is a burden in other ways beyond binary size. For engineering teams that review or audit dependencies the huge number of dependencies that this SDK imports directly and indirectly is overwhelming. This isn't a one-time cost since the list changes between releases.

As an example this is a summary of the changes to a Go project upgrading the Sentry SDK to the latest version showing dependencies removed, added, and changed. An importer of the Sentry SDK who wishes to review and test dependencies would have to review 23 new dependencies and changes to 15 existing dependencies.

This scale of dependency changes is more similar to the cost in upgrading from one version of a completely encompassing multi-feature web framework rather than a utility or integration SDK. It'd be great if the dependency list could be greatly reduced .

``` 0 github.com/AndreasBriese/bbloom + e2d15f34fcf9 https://github.com/AndreasBriese/bbloom 1 github.com/CloudyKit/fastprinter + 74b38d55f37a https://github.com/CloudyKit/fastprinter 2 github.com/CloudyKit/jet + 62edd43e4f88 https://github.com/CloudyKit/jet 3 github.com/Joker/hpp 6893e659854a > v1.0.0 https://github.com/Joker/hpp/compare/6893e659854a...v1.0.0 4 github.com/Joker/jade v1.0.0 > d475f43051e7 https://github.com/Joker/jade/compare/v1.0.0...d475f43051e7 5 github.com/aymerick/raymond v2.0.2 > b565731e1464 https://github.com/aymerick/raymond/compare/v2.0.2...b565731e1464 6 github.com/dgraph-io/badger + v1.6.0 https://github.com/dgraph-io/badger 7 github.com/dgryski/go-farm + 6a90982ecee2 https://github.com/dgryski/go-farm 8 github.com/dustin/go-humanize + v1.0.0 https://github.com/dustin/go-humanize 9 github.com/etcd-io/bbolt + v1.3.3 https://github.com/etcd-io/bbolt 10 github.com/fasthttp-contrib/websocket + 1f3b11f56072 https://github.com/fasthttp-contrib/websocket 11 github.com/gavv/httpexpect + v2.0.0 https://github.com/gavv/httpexpect 12 github.com/getsentry/sentry-go v0.3.0 > v0.3.1 https://github.com/getsentry/sentry-go/compare/v0.3.0...v0.3.1 13 github.com/gobwas/httphead + 2c6c146eadee https://github.com/gobwas/httphead 14 github.com/gobwas/pool + v0.2.0 https://github.com/gobwas/pool 15 github.com/gobwas/ws + v1.0.2 https://github.com/gobwas/ws 16 github.com/gorilla/schema v1.1.0 - 17 github.com/gorilla/websocket + v1.4.0 https://github.com/gorilla/websocket 18 github.com/hashicorp/go-version + v1.2.0 https://github.com/hashicorp/go-version 19 github.com/iris-contrib/formBinder v5.0.0 - 20 github.com/iris-contrib/httpexpect ebe99fcebbce - 21 github.com/iris-contrib/i18n + 987a633949d0 https://github.com/iris-contrib/i18n 22 github.com/iris-contrib/schema + v0.0.1 https://github.com/iris-contrib/schema 23 github.com/kataras/golog 99c81de45f40 > v0.0.9 https://github.com/kataras/golog/compare/99c81de45f40...v0.0.9 24 github.com/kataras/iris v11.1.1 - 25 github.com/kataras/iris/v12 + v12.0.1 https://github.com/kataras/iris/v12 26 github.com/kataras/neffos + v0.0.10 https://github.com/kataras/neffos 27 github.com/klauspost/compress v1.4.0 > v1.9.0 https://github.com/klauspost/compress/compare/v1.4.0...v1.9.0 28 github.com/klauspost/cpuid e7e905edc00e > v1.2.1 https://github.com/klauspost/cpuid/compare/e7e905edc00e...v1.2.1 29 github.com/labstack/echo/v4 v4.1.10 > v4.1.11 https://github.com/labstack/echo/v4/compare/v4.1.10...v4.1.11 30 github.com/mediocregopher/mediocre-go-lib + cb65787f37ed https://github.com/mediocregopher/mediocre-go-lib 31 github.com/mediocregopher/radix/v3 + v3.3.0 https://github.com/mediocregopher/radix/v3 32 github.com/nats-io/nats.go + v1.8.1 https://github.com/nats-io/nats.go 33 github.com/nats-io/nkeys + v0.0.2 https://github.com/nats-io/nkeys 34 github.com/nats-io/nuid + v1.0.1 https://github.com/nats-io/nuid 35 github.com/onsi/ginkgo v1.10.1 > v1.10.3 https://github.com/onsi/ginkgo/compare/v1.10.1...v1.10.3 36 github.com/onsi/gomega v1.7.0 > v1.7.1 https://github.com/onsi/gomega/compare/v1.7.0...v1.7.1 37 github.com/pingcap/errors v0.11.1 > v0.11.4 https://github.com/pingcap/errors/compare/v0.11.1...v0.11.4 38 github.com/smartystreets/goconvey 505e41936337 > v1.6.4 https://github.com/smartystreets/goconvey/compare/505e41936337...v1.6.4 39 github.com/valyala/fasthttp v1.4.0 > v1.6.0 https://github.com/valyala/fasthttp/compare/v1.4.0...v1.6.0 40 github.com/xeipuuv/gojsonschema v1.1.0 > v1.2.0 https://github.com/xeipuuv/gojsonschema/compare/v1.1.0...v1.2.0 41 gopkg.in/yaml.v2 v2.2.2 > v2.2.4 ```

Output is generated by golistcmp.

@rhcarvalho
Copy link
Contributor Author

@leighmcculloch wrote in #75 (comment):

Another example output, the total number of dependencies for the SDK is 129 (one line in the output below is the module name itself, so one less than 130):

$ git clone https://github.com/getsentry/sentry-go
$ cd sentry-go
$ go list -m all | wc -l
130

@rhcarvalho
Copy link
Contributor Author

@leighmcculloch wrote in #75 (comment):

Most of the dependencies arises from the module containing handlers for lots of different servers, e.g. fasthttp, gin, iris, martini, negroni, and also contains an examples directory that exercises them all.

Most applications are going to use a single type of http server, and so many of the dependencies being imported will be unused in an importing application. Applications that use only net/http as the server will use even less of the dependencies. e.g. If I remove all of the directories listed above the dependency list goes from 130 to 20.

Could each server specific handler become it's own Go Module, i.e. create a go.mod file in each handler directory, and in the example directory. This would reduce the dependency graph for each server type, and the native net/http handler could be used with 20 dependencies instead of 130.

@rhcarvalho
Copy link
Contributor Author

@rhcarvalho wrote in #79 (comment):

Multi-module repository FAQ: https://github.com/golang/go/wiki/Modules#faqs--multi-module-repositories

Should I have multiple modules in a single repository?
Adding modules, removing modules, and versioning modules in such a configuration require considerable care and deliberation, so it is almost always easier and simpler to manage a single-module repository rather than multiple modules in an existing repository.

@rhcarvalho
Copy link
Contributor Author

@rhcarvalho wrote in #79 (comment):

https://github.com/golang/go/wiki/Modules#can-an-additional-gomod-exclude-unnecessary-content-do-modules-have-the-equivalent-of-a-gitignore-file

Can an additional go.mod exclude unnecessary content? Do modules have the equivalent of a .gitignore file?
One additional use case for having multiple go.mod files in a single repository is if the repository has files that should be pruned from a module. For example, a repository might have very large files that are not needed for the Go module, or a multi-language repository might have many non-Go files.
An empty go.mod in a directory will cause that directory and all of its subdirectories to be excluded from the top-level Go module.
If the excluded directory does not contain any .go files, no additional steps are needed beyond placing the empty go.mod file. If the excluded directory does contain .go files, please first carefully review the other FAQs in this multi-module repository section.

@rhcarvalho
Copy link
Contributor Author

Could each server specific handler become it's own Go Module, i.e. create a go.mod file in each handler directory, and in the example directory. This would reduce the dependency graph for each server type, and the native net/http handler could be used with 20 dependencies instead of 130.

This idea sounds simple but has known drawbacks observed in the Go community at large. I've run into a few situations in the last months in which projects would not build after some dependency decided to split up into multiple modules per repository.

The Go Wiki outlines the caveats of maintaining multi-module repositories: https://github.com/golang/go/wiki/Modules#faqs--multi-module-repositories.

If we do split, then we have to be very careful with the initial splitting to avoid breaking existing users. We would also have to keep maintaining several go.mod files that should all depend on an appropriate version of the core sentry-go package/module.

Releasing sentry-go would also require maintaining a larger set of Git tags, one per module.

Special care would have to be given whenever we add a new module, if that would be the status quo by then, one module per package, one module per integration.

@rhcarvalho
Copy link
Contributor Author

For engineering teams that review or audit dependencies the huge number of dependencies that this SDK imports directly and indirectly is overwhelming. This isn't a one-time cost since the list changes between releases.

Short answer

Engineering teams should review and audit packages that are dependencies of their binaries, package main.

That is a different list than what Go Modules track.

Long answer

We need to distinguish between Package Dependencies and Module Dependencies.

go list makes the distinction with the -m flag:

Packages

github.com/getsentry/sentry-go only depends on packages from the standard library:

$ go list -f '{{join .Imports "\n"}}' github.com/getsentry/sentry-go | xargs go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}'

An example program that uses github.com/getsentry/sentry-go does not depend on any extra package, at least not transitively caused by sentry-go:

$ go list -f '{{join .Imports "\n"}}' github.com/getsentry/sentry-go/example/basic | xargs go list -f '{{if not .Standard}}{{.ImportPath}}{{end}}'
github.com/getsentry/sentry-go

Modules

Go Modules do know about the direct and indirect dependencies of all packages in a module, those being stored in the go.mod file (FAQ).

The go.mod file also includes the minimum version it requires of each dependency, transitively.

When building a program, package main, the versions of the dependencies that go into the final binary are determined according to the Minimal Version Selection algorithm.

Let's say you have a program, package main, a web server based on the Gin framework:

package main

import (
	"fmt"
	"net/http"

	"github.com/getsentry/sentry-go"
	sentrygin "github.com/getsentry/sentry-go/gin"
	"github.com/gin-gonic/gin"
)

func main() {
	// ...
}

Here is the go.mod of your project, after running go mod tidy:

module example.com/gin-server                                                                                                                                                                      
                                                                                                                                                                                                   
go 1.13                                                                                                                                                                                            
                                                                                                                                                                                                   
require (                                                                                                                                                                                          
        github.com/getsentry/sentry-go v0.4.0                                                                                                                                                      
        github.com/gin-gonic/gin v1.5.0                                                                                                                                                            
        github.com/go-playground/universal-translator v0.17.0 // indirect                                                                                                                          
        github.com/golang/protobuf v1.3.3 // indirect                                                                                                                                              
        github.com/json-iterator/go v1.1.9 // indirect                                                                                                                                             
        github.com/leodido/go-urn v1.2.0 // indirect                                                                                                                                               
        github.com/mattn/go-isatty v0.0.12 // indirect                                                                                                                                             
        golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9 // indirect                                                                                                                            
        gopkg.in/go-playground/validator.v9 v9.31.0 // indirect                                                                                                                                    
        gopkg.in/yaml.v2 v2.2.8 // indirect                                                                                                                                                        
)

At the time of writing this, the latest release of sentry-go is v0.4.0. The lastest release of gin is v1.5.0. Please do note that [email protected] lists gin@v1.4.0 as the minimal version for the dependency in its go.mod file.

https://github.com/getsentry/sentry-go/blob/v0.4.0/go.mod#L9

What is the version of gin that goes into the binary produced by go build, what version needs to be audited? [email protected]!

Where is the exact code that needs review?

$ go list -deps | sort | xargs go list -f '{{.Dir}}'
$GOROOT/src/bufio
$GOROOT/src/bytes
$GOROOT/src/compress/flate
$GOROOT/src/compress/gzip
$GOROOT/src/container/list
$GOROOT/src/context
$GOROOT/src/crypto
$GOROOT/src/crypto/aes
$GOROOT/src/crypto/cipher
$GOROOT/src/crypto/des
$GOROOT/src/crypto/dsa
$GOROOT/src/crypto/ecdsa
$GOROOT/src/crypto/ed25519
$GOROOT/src/crypto/ed25519/internal/edwards25519
$GOROOT/src/crypto/elliptic
$GOROOT/src/crypto/hmac
$GOROOT/src/crypto/internal/randutil
$GOROOT/src/crypto/internal/subtle
$GOROOT/src/crypto/md5
$GOROOT/src/crypto/rand
$GOROOT/src/crypto/rc4
$GOROOT/src/crypto/rsa
$GOROOT/src/crypto/sha1
$GOROOT/src/crypto/sha256
$GOROOT/src/crypto/sha512
$GOROOT/src/crypto/subtle
$GOROOT/src/crypto/tls
$GOROOT/src/crypto/x509
$GOROOT/src/crypto/x509/pkix
$GOROOT/src/encoding
$GOROOT/src/encoding/asn1
$GOROOT/src/encoding/base64
$GOROOT/src/encoding/binary
$GOROOT/src/encoding/gob
$GOROOT/src/encoding/hex
$GOROOT/src/encoding/json
$GOROOT/src/encoding/pem
$GOROOT/src/encoding/xml
$GOROOT/src/errors
/home/rodolfo/example/gin-server
$GOROOT/src/fmt
$GOPATH/pkg/mod/github.com/getsentry/[email protected]
$GOPATH/pkg/mod/github.com/getsentry/[email protected]/gin
$GOPATH/pkg/mod/github.com/gin-contrib/[email protected]
$GOPATH/pkg/mod/github.com/gin-gonic/[email protected]
$GOPATH/pkg/mod/github.com/gin-gonic/[email protected]/binding
$GOPATH/pkg/mod/github.com/gin-gonic/[email protected]/internal/json
$GOPATH/pkg/mod/github.com/gin-gonic/[email protected]/render
$GOPATH/pkg/mod/github.com/golang/[email protected]/proto
$GOPATH/pkg/mod/github.com/go-playground/[email protected]
$GOPATH/pkg/mod/github.com/go-playground/[email protected]/currency
$GOPATH/pkg/mod/github.com/go-playground/[email protected]
$GOPATH/pkg/mod/github.com/leodido/[email protected]
$GOPATH/pkg/mod/github.com/mattn/[email protected]
$GOPATH/pkg/mod/github.com/ugorji/go/[email protected]
$GOROOT/src/go/ast
$GOROOT/src/go/build
$GOROOT/src/go/doc
$GOPATH/pkg/mod/golang.org/x/[email protected]/unix
$GOROOT/src/go/parser
$GOPATH/pkg/mod/gopkg.in/go-playground/[email protected]
$GOPATH/pkg/mod/gopkg.in/[email protected]
$GOROOT/src/go/scanner
$GOROOT/src/go/token
$GOROOT/src/hash
$GOROOT/src/hash/crc32
$GOROOT/src/html
$GOROOT/src/html/template
$GOROOT/src/internal/bytealg
$GOROOT/src/internal/cpu
$GOROOT/src/internal/fmtsort
$GOROOT/src/internal/goroot
$GOROOT/src/internal/goversion
$GOROOT/src/internal/lazyregexp
$GOROOT/src/internal/nettrace
$GOROOT/src/internal/oserror
$GOROOT/src/internal/poll
$GOROOT/src/internal/race
$GOROOT/src/internal/reflectlite
$GOROOT/src/internal/singleflight
$GOROOT/src/internal/syscall/unix
$GOROOT/src/internal/testlog
$GOROOT/src/io
$GOROOT/src/io/ioutil
$GOROOT/src/log
$GOROOT/src/math
$GOROOT/src/math/big
$GOROOT/src/math/bits
$GOROOT/src/math/rand
$GOROOT/src/mime
$GOROOT/src/mime/multipart
$GOROOT/src/mime/quotedprintable
$GOROOT/src/net
$GOROOT/src/net/http
$GOROOT/src/net/http/httptrace
$GOROOT/src/net/http/httputil
$GOROOT/src/net/http/internal
$GOROOT/src/net/rpc
$GOROOT/src/net/textproto
$GOROOT/src/net/url
$GOROOT/src/os
$GOROOT/src/os/exec
$GOROOT/src/path
$GOROOT/src/path/filepath
$GOROOT/src/reflect
$GOROOT/src/regexp
$GOROOT/src/regexp/syntax
$GOROOT/src/runtime
$GOROOT/src/runtime/cgo
$GOROOT/src/runtime/internal/atomic
$GOROOT/src/runtime/internal/math
$GOROOT/src/runtime/internal/sys
$GOROOT/src/sort
$GOROOT/src/strconv
$GOROOT/src/strings
$GOROOT/src/sync
$GOROOT/src/sync/atomic
$GOROOT/src/syscall
$GOROOT/src/text/template
$GOROOT/src/text/template/parse
$GOROOT/src/time
$GOROOT/src/unicode
$GOROOT/src/unicode/utf16
$GOROOT/src/unicode/utf8
$GOROOT/src/unsafe
$GOROOT/src/vendor/golang.org/x/crypto/chacha20poly1305
$GOROOT/src/vendor/golang.org/x/crypto/cryptobyte
$GOROOT/src/vendor/golang.org/x/crypto/cryptobyte/asn1
$GOROOT/src/vendor/golang.org/x/crypto/curve25519
$GOROOT/src/vendor/golang.org/x/crypto/hkdf
$GOROOT/src/vendor/golang.org/x/crypto/internal/chacha20
$GOROOT/src/vendor/golang.org/x/crypto/internal/subtle
$GOROOT/src/vendor/golang.org/x/crypto/poly1305
$GOROOT/src/vendor/golang.org/x/net/dns/dnsmessage
$GOROOT/src/vendor/golang.org/x/net/http2/hpack
$GOROOT/src/vendor/golang.org/x/net/http/httpguts
$GOROOT/src/vendor/golang.org/x/net/http/httpproxy
$GOROOT/src/vendor/golang.org/x/net/idna
$GOROOT/src/vendor/golang.org/x/sys/cpu
$GOROOT/src/vendor/golang.org/x/text/secure/bidirule
$GOROOT/src/vendor/golang.org/x/text/transform
$GOROOT/src/vendor/golang.org/x/text/unicode/bidi
$GOROOT/src/vendor/golang.org/x/text/unicode/norm

(output edited to use $GOROOT and $GOPATH instead of full paths in my system)

Please note that the code that needs auditing/review is independent of whatever packages appear in the go.mod files of any dependency, sentry-go or any others. The critical go.mod file is the one of the program being built.

@leighmcculloch
Copy link

leighmcculloch commented Jan 30, 2020
edited
Loading

Engineering teams should review and audit packages that are dependencies of their binaries

This is a great point. I think the go build process only includes into the final build the packages actually imported in the dependency tree and not all packages in a module.

However, this doesn't capture the full picture of how this impacts importers of your module. Importing a module still brings that modules complete dependency graph into the dependency resolution process. Anyone using dependencies imported will be limited by the minimum versions defined in sentry-go or any transitive dependency through sentry-go.

The critical go.mod file is the one of the program being built.

This is not always the case. Go.mod files only contain direct dependencies, and indirect dependencies that are not captured in a transitive dependencies go.mod file. If a transitive dependency has a go.mod file, its dependencies will not be captured in the applications go.mod file. If a transitive dependency adds a go.mod file the // indirect dependencies for its dependencies should disappear from the app go.mod. The only way to know the actual dependencies is to use go list.

A large dependency graph still causes importers pain. Multiple modules would reduce that pain in a backwards compatible way. However, I agree, there is care required and a maintenance cost for you folks.

@rhcarvalho
Copy link
Contributor Author

Importing a module still brings that modules complete dependency graph into the dependency resolution process.
Anyone using dependencies imported will be limited by the minimum versions defined in sentry-go or any transitive dependency through sentry-go.

This is true and unfortunate.

Specifically the limitation pushes people to use newer versions. As far as I know, we haven't heard anyone complain about that, though. I imagine it would be worse if we forced people to use old versions.

Example for future reference:

$ go get -u github.com/smartystreets/[email protected] github.com/getsentry/[email protected]
go: finding github.com/smartystreets/goconvey 1.5.0
go: finding github.com/gopherjs/gopherjs latest
go: finding golang.org/x/tools latest
go get: inconsistent versions:
        github.com/getsentry/[email protected] requires github.com/smartystreets/[email protected] (not github.com/smartystreets/[email protected] from github.com/smartystreets/[email protected])

The example above shows that a downstream module cannot depend on both github.com/getsentry/[email protected] and github.com/smartystreets/[email protected] (an older version), even though github.com/getsentry/sentry-go itself doesn't depend on github.com/smartystreets/goconvey.

A large dependency graph still causes importers pain. Multiple modules would reduce that pain in a backwards compatible way. However, I agree, there is care required and a maintenance cost for you folks.

We're on the same page. I'll keep this open for investigation. Is a nice to have for v1.0.0.

In fact, this issue boils down to how to deal with integrations and examples, those are the ones bringing in extraneous dependencies.

Notes

@rhcarvalho
Copy link
Contributor Author

Adding a point of reference here...

I run into golang/go#29935, which describes a similar problem that surfaced in golang.org/x/build and cloud.google.com/go modules.

Some highlights:

Before modules, it wasn’t a problem

Can you hide that package behind a build tag?

go mod tidy looks across all build tags, so build tag alone might be insufficient to address the initial concern

Parameterizing mod tidy on build tags is #25873.
[note: still open as of today]

This is how the dependency tree in golang.org/x/build was reduced by creating a new module: https://go-review.googlesource.com/c/build/+/167461/
And the follow up https://go-review.googlesource.com/c/build/+/167463/

If one follows issues and goes down the rabbit hole, one finds several reports of broken state and fire.

I think removing the dependencies of integrations from sentry-go is a noble goal, but we have to be careful when doing so, and react if and when something goes wrong.

Unfortunately testing the changes precisely is hard, as the whole process relies on public tags on GitHub among other steps that are hard to reproduce, and even if we did do with a fork or sample repo, there is no guarantee all would go right for sentry-go itself.

@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Feb 4, 2020
edited
Loading

And one more similar issue golang/go#30685, golang.org/x/net

Highlights:

I propose making it a separate module but not making any tagged releases yet, which is more in line with bcmills's plan described in golang/go#28136 (comment) that we have been following so far for all subrepos.

I don't yet know if it's better to include a replace golang.org/x/net => ../.. directive in the h2demo module's go.mod file, or to leave it out. This would need to be figured out.

The effect of having a replace golang.org/x/net => ../.. directive in the future golang.org/x/net/http2/h2demo module is that when you're doing local development, it will use the version of golang.org/x/net that is on your disk two parent directories up, instead of the version specified in the http2/h2demo/go.mod file.
It also means any local changes to the http2, etc., packages from golang.org/x/net module will be picked up when building or testing h2demo.

@rhcarvalho
Copy link
Contributor Author

Initially we may follow the same strategy as described in golang/go#28136 (comment).

The downside being that importers of an integration (or any "submodule" for that matter) would see lines like github.com/getsentry/sentry-go/INTEGRATION/XYZ v0.0.0-20200101000000-abc123def456 in their go.mod files.

It remains an open discussion how to version the submodules:

  • Should a submodule have a version tag independent of sentry-go?
    • When do we release/tag submodules?
  • Should all submodules be tagged with the same version when there is a release?
    • If we go that route, we may need to teach craft how to make several tags per release.

@rhcarvalho
Copy link
Contributor Author

I was wondering what situation we'd be in in a world where dep had succeed as the official tool.

https://golang.github.io/dep/docs/the-solver.html#activated-constraints

Activated constraints

Just because a [[constraint]] on P appears in D's Gopkg.toml doesn't necessarily mean the constraint on P is considered active. A package in P must be imported by a package in D - and, if D is not the current project, then one of its packages importing P must also be imported.

Given the following dependency graph, where C is the current project:

C -> D
C -> P
D/subpkg -> P

Even though C imports D, because D/subpkg is not reachable through C's imports, any [[constraint]] declared in D's Gopkg.toml' on P will not be active.

The reasoning behind this behavior is explained further in this gist.

If I understand the above correctly, if sentry-go had constraints on the supported versions of packages it uses in integrations (fasthttp, gin, etc) in a top-level Gopkg.toml, those constraints would have no effects on a project C that uses sentry-go and doesn't use integrations.

@rhcarvalho
Copy link
Contributor Author

With the recent release of Go 1.14 and plans for 1.15, I learned about golang/go#36460, proposal: cmd/go: lazy module loading.

If my understanding of the proposal is right, a future version of Go Modules could reduce the need to break a repository into multiple modules.

The discussion in golang/go#37175 supports that. Some quotes:

Back when GOPATH mode was the only build mode available, there was not a high cost to having many unrelated packages in one repository.
In module mode, having many unrelated packages in one module can contribute to increasing the size of the module graph.

bcmills is working on a change that would reduce the cost of a large module graph (both in load time and stability). Placeholder issue is #36460. So this may not be a justification for splitting modules in the future.
In general, multi-module repos complicate development in a lot of ways, and I think we should avoid that if we can.

In the longer term, lazy loading of go.mods will make this situation not bother looking [...] because it doesn't matter for the build at hand.

@rhcarvalho
Copy link
Contributor Author

One more issue discussing splitting a repository (golang.org/x/tools) into multiple modules: golang/go#27858

(comments express resistance to having multiple go.mod files)

@derekperkins
Copy link
Contributor

The Google Cloud SDK is an example of a repo that has split into many modules. I couldn't find any discussion around it though.
https://github.com/googleapis/google-cloud-go

@rhcarvalho rhcarvalho mentioned this issue Apr 15, 2020
Closed
@rhcarvalho rhcarvalho mentioned this issue Jun 3, 2020
Closed
@Gunni
Copy link

Gunni commented Sep 2, 2020

sentry-go is adding in 161 packages into go.sum right now, but just 1 in go.mod, is anyone even working on this?

@rhcarvalho
Copy link
Contributor Author

sentry-go is adding in 161 packages into go.sum right now, but just 1 in go.mod, is anyone even working on this?

@Gunni do you have some specific concern I can help you with?

Adding to go.sum is no harm, it doesn't affect your built binaries in any way.
One unintended effect the current single-module design and how Go modules work is that sentry-go may "force" binaries to update their dependencies (see #156 (comment)). That's generally no harm either as the Go community is typically moving forward and we have not heard of anyone having build problems because of that.

An upcoming change to Go modules, which might land in Go 1.16, will likely remove the need to split the repo into multiple modules, see golang/go#36460.

@peplin
Copy link

peplin commented Nov 11, 2020

Unfortunately I can't offer a solution to this problem, but I wanted to drop a note about a workaround.

My main issue with the large dependency list is not concern over the size of the binary, but that in my organization I have to get the open source licenses reviewed and approved for all transitive dependencies. GPL/LGPL are problematic.

Starting from go.mod:

Those are the only 3 LGPLv3 licensed libraries in the entire graph. The rest are all generally permissive licenses (MIT, BSD, Apache, etc).

As a workaround, I added this to my go.mod to exclude v12.0.1 of Iris:

+exclude (
+       github.com/kataras/iris/v12 v12.0.1
+)

This forces Go to use a newer version instead, v12.1.0, which thankfully does not pull in the Juju depednencies.

@rhcarvalho rhcarvalho mentioned this issue Nov 13, 2020
Closed
@rhcarvalho
Copy link
Contributor Author

@peplin thanks for bringing this up.

Splitting the SDK into multiple modules is something in our radar but the change is more complex.
For the time being, #297 should mitigate what you are seeing, if not please let us know.
A release will follow early next week.

Note that the only packages that go into your build are those actually imported by your Go packages or their transitive package (not module) dependencies.

You can list all recursively imported dependencies of a package with go list -f '{{join .Deps "\n"}}'.

As an example, here are the dependencies of a basic example (from this repo) using sentry-go. Note that there are no dependencies outside of the Go standard library:

$ cd example/basic
$ go list -f '{{join .Deps "\n"}}'
bufio
bytes
compress/flate
compress/gzip
container/list
context
crypto
crypto/aes
crypto/cipher
crypto/des
crypto/dsa
crypto/ecdsa
crypto/ed25519
crypto/ed25519/internal/edwards25519
crypto/elliptic
crypto/hmac
crypto/internal/randutil
crypto/internal/subtle
crypto/md5
crypto/rand
crypto/rc4
crypto/rsa
crypto/sha1
crypto/sha256
crypto/sha512
crypto/subtle
crypto/tls
crypto/x509
crypto/x509/internal/macos
crypto/x509/pkix
encoding
encoding/asn1
encoding/base64
encoding/binary
encoding/hex
encoding/json
encoding/pem
errors
fmt
github.com/getsentry/sentry-go
go/ast
go/build
go/doc
go/parser
go/scanner
go/token
hash
hash/crc32
internal/bytealg
internal/cpu
internal/fmtsort
internal/goroot
internal/goversion
internal/lazyregexp
internal/nettrace
internal/oserror
internal/poll
internal/race
internal/reflectlite
internal/singleflight
internal/syscall/execenv
internal/syscall/unix
internal/testlog
internal/unsafeheader
io
io/ioutil
log
math
math/big
math/bits
math/rand
mime
mime/multipart
mime/quotedprintable
net
net/http
net/http/httptrace
net/http/internal
net/textproto
net/url
os
os/exec
path
path/filepath
reflect
regexp
regexp/syntax
runtime
runtime/cgo
runtime/debug
runtime/internal/atomic
runtime/internal/math
runtime/internal/sys
sort
strconv
strings
sync
sync/atomic
syscall
text/template
text/template/parse
time
unicode
unicode/utf16
unicode/utf8
unsafe
vendor/golang.org/x/crypto/chacha20
vendor/golang.org/x/crypto/chacha20poly1305
vendor/golang.org/x/crypto/cryptobyte
vendor/golang.org/x/crypto/cryptobyte/asn1
vendor/golang.org/x/crypto/curve25519
vendor/golang.org/x/crypto/hkdf
vendor/golang.org/x/crypto/internal/subtle
vendor/golang.org/x/crypto/poly1305
vendor/golang.org/x/net/dns/dnsmessage
vendor/golang.org/x/net/http/httpguts
vendor/golang.org/x/net/http/httpproxy
vendor/golang.org/x/net/http2/hpack
vendor/golang.org/x/net/idna
vendor/golang.org/x/net/route
vendor/golang.org/x/sys/cpu
vendor/golang.org/x/text/secure/bidirule
vendor/golang.org/x/text/transform
vendor/golang.org/x/text/unicode/bidi
vendor/golang.org/x/text/unicode/norm

@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Mar 17, 2021
edited
Loading

Another problem people are running into is getting confused with dependencies on old/vulnerable versions of integration dependencies, for example, old version of Gin https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-550031.

The core SDK (the sentry package at the root of this repo) has no external dependencies.

For the framework integrations like Gin, Echo, etc, we've not bumped our dependencies as per our SDK development philosophy with the intention of not pushing people to upgrade their dependencies and keeping as broad compatibility as possible. Users are ultimately in control of what version of a framework they want to use, and sentry-go does not force them to upgrade.

At the moment, one can't use sentry-go with versions of Gin older than 1.4.0:

$ go get github.com/getsentry/sentry-go@latest github.com/gin-gonic/[email protected]
go: github.com/getsentry/sentry-go latest => v0.10.0
go get: inconsistent versions:
        github.com/getsentry/[email protected] from github.com/getsentry/sentry-go@latest requires github.com/gin-gonic/[email protected] (not github.com/gin-gonic/[email protected])

We could change that dependency version bump policy specifically for Go, but ultimately having separate modules for framework integrations would reduce (to zero) the module dependency list of the top level module.

@rhcarvalho
Copy link
Contributor Author

It is unfortunate that, with the introduction of Go Modules, tools in the Go ecosystem often focus solely on the module dependency tree, ignoring that not all packages in a module are actually part of the build.

The go.mod file of a library (like the Sentry Go SDK) lists the minimum versions of modules it is willing to be built with. As I wrote in my previous comment, Sentry tries to be compatible with as broad a range of versions as possible, therefore we need to list the minimum versions that can possibly work. This doesn't mean that sentry-go is vulnerable or forces the use of an outdated library because, ultimately, the decision on which version is part of the built is in the hands of the main module (that is, users of Sentry Go).

See Minimal Version Selection for more details on how the Go tool decides which versions of dependencies are part of the final build list.

@ngalaiko
Copy link

ngalaiko commented Feb 1, 2022
edited
Loading

Any progress on this? I would like to use an officially supported library, but unfortunately, as mentioned multiple times before, lack of attention to 3rd party dependencies prevents me from doing that.

For now, I am forced to use github.com/getsentry/raven-go instead.

@bcmills
Copy link

bcmills commented Feb 1, 2022

This sort of use-case is exactly what we had in mind when we added module graph pruning in Go 1.17.

Module graph pruning would allow sentry-go itself to depend on a large number of third-party modules, without pulling otherwise-irrelevant dependencies of those modules into the module graph for users of sentry-go. (Modules that provide packages transitively imported by sentry-go would still end up in the module graph, but the transitive dependencies of those modules would be pruned out.)

To activate module graph pruning, you'd need to bump the go version in go.mod up to go 1.17 or higher. (Note that that step itself won't break users on versions older than 1.17 — they just won't see the effects of graph pruning until they upgrade the go version in their own modules.)

@bcmills
Copy link

bcmills commented Feb 1, 2022

@derekperkins

The Google Cloud SDK is an example of a repo that has split into many modules.

As I understand it, the main purpose of breaking the cloud SDK into multiple modules is so that releases of those modules can happen on independent schedules. (For example, cloud.google.com/go/gkeconnect is currently on v0.1.0, whereas cloud.google.com/go/bigtable is on v1.13.0 — reflecting a very different level of maturity and API stability.)

rhcarvalho added a commit to rhcarvalho/sentry-go that referenced this issue Feb 8, 2022
@rhcarvalho
build: Bump Go version in go.mod
6c004c5 
Commit generated with this command
  go mod tidy -go=1.17 -compat=1.15

Using Go version 1.17.5.

The idea is to enable consumers of sentry-go to be able to use module
graph pruning (Go 1.17+ required), such that dependencies of sentry-go
that are otherwise unused by end users can be pruned away.

See getsentry#156 (comment)
@rhcarvalho rhcarvalho mentioned this issue Feb 8, 2022
Merged
rhcarvalho added a commit to rhcarvalho/sentry-go that referenced this issue Feb 8, 2022
@rhcarvalho
build: Bump Go version in go.mod
78f200c 
Commit generated with this command
  go mod tidy -go=1.17 -compat=1.15

Using Go version 1.17.5.

The idea is to enable consumers of sentry-go to be able to use module
graph pruning (Go 1.17+ required), such that dependencies of sentry-go
that are otherwise unused by end users can be pruned away.

See getsentry#156 (comment)

Also update CI workflow to check for go.mod tidiness using the same line
as used to generate this commit. Update data race tests that were still
accidentally being run on Go 1.16 instead of 1.17.
@rhcarvalho
Copy link
Contributor Author

Thanks for chiming in @bcmills ❤️

I guess I overlooked the need to declare go 1.17 in the go.mod file to enable pruning.

The next release should enable pruning. Perhaps that addresses most needs and obviates the need to split into multiple submodules (which comes with a higher toll on the development and release processes).

kamilogorek pushed a commit that referenced this issue Feb 10, 2022
@rhcarvalho
build: Bump Go version in go.mod (#410)
dc2eb25 
Commit generated with this command
  go mod tidy -go=1.17 -compat=1.15

Using Go version 1.17.5.

The idea is to enable consumers of sentry-go to be able to use module
graph pruning (Go 1.17+ required), such that dependencies of sentry-go
that are otherwise unused by end users can be pruned away.

See #156 (comment)

Also update CI workflow to check for go.mod tidiness using the same line
as used to generate this commit. Update data race tests that were still
accidentally being run on Go 1.16 instead of 1.17.
@kamilogorek kamilogorek mentioned this issue Feb 28, 2022
Closed
@cleptric cleptric linked a pull request Oct 30, 2022 that will close this issue
feat: make other dependencies into submodules (#156) #414
Closed
@cleptric cleptric mentioned this issue Nov 28, 2022
Closed
@cleptric cleptric self-assigned this Dec 6, 2022
@cleptric cleptric mentioned this issue Dec 7, 2022
Closed
@vaind
Copy link
Collaborator

vaind commented Jul 10, 2023

It looks like this is safe to close now as wont-fix/obsolete, with module pruning in place.

@rhcarvalho
Copy link
Contributor Author

It looks like this is safe to close now as wont-fix/obsolete, with module pruning in place.

I agree! Closed.

@rhcarvalho rhcarvalho closed this as not planned Won't fix, can't repro, duplicate, stale Jul 10, 2023
@cleptric cleptric removed their assignment Jul 10, 2023
@leighmcculloch
Copy link

leighmcculloch commented Jul 10, 2023
edited
Loading

Module pruning helps to keep the go.mod file smaller for importers, but the problem remains because Go does not perform version resolution at a package level but at a module level, so I believe this means anyone importing dependencies that overlap with the large depth graph of sentry-go will still be impacted by it, because sentry-go's mod file will still impact which minimum version is selected. See this rejected proposal for more details:

But this issue of the impact on version selection might not be meaningful. It's unclear for me as of yet.

@rhcarvalho
Copy link
Contributor Author

Hi Leigh,

Thanks for your comment(s), you always bring up interesting points, much appreciated.

[...] but the problem remains because Go does not perform version resolution at a package level but at a module level
[...]
But this issue of the impact on version selection might not be meaningful. It's unclear for me as of yet.

Has that been meaningful in any project you worked on?

When weighing the advantages and disadvantages of maintaining multi-module repositories, my experience leads me to lean towards the belief that managing multi-module repos demands a greater investment in customized tooling. On the other hand, single module repositories have made some advancements over the years, especially with the introduction of module pruning.

Perhaps there's off-the-shelf tooling that makes releasing and developing multi-module repos a breeze?! Have you used anything you'd recommend? Most recently I've been using go.work to appease VS Code's Go integration, but that doesn't scale well.

@leighmcculloch
Copy link

Has that been meaningful in any project you worked on?

Not that is actively impacting me. And it's unclear to me if this will meaningfully negatively impact a project, it really only poses a problem if folks want to use an old minor version for some reason, which is not particularly common.

If you did want to explore multiple modules, then yup, I think go.work would be the way to go and then keep the release process simple and just always tag all modules regardless of whether they contain any changes so you're still developing as a single unit.

But I think closing this issue is a reasonable tradeoff.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Breaking
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: make other dependencies into submodules (#156)
10 participants
@rhcarvalho @peplin @leighmcculloch @Gunni @derekperkins @bcmills @vaind @cleptric @stephanie-anderson @ngalaiko