<p>If you were the CTO of a medium-sized technology company and you have decided to use Go as your company's main programming language, which libraries or frameworks would you encourage your team(s) to use? Please base it on the knowledge that these libraries are proven to work well for production-code, their authors won't disappear, they're actively developed, there's good documentation, good community, they're developed by experienced teams/contributors, they're used by other big/known tech companies, etc.</p>
<p>Obviously, Go is still quite young to have "mature" libraries (compared to other older/more established languages+ecosystems) but there must already be some sense of where to put your trust. As a new-comer to the Go world, I'd love to hear what recommendations you have.</p>
<p>Update: since some people are asking "libraries/frameworks to do what?" I'd want to say general purpose web application development using enterprise integration patterns. Examples: authentication/authorization, messaging, http2, websockets, emails, database clients, caching, (distributed) configuration management, service discovery clients, resilience libraries, logging, tracing, monitoring, scheduling, something like akka-cluster, etc.</p>
<hr/>**评论:**<br/><br/>mistretzu: <pre><p>Use the standard lib as much as you can, then
<a href="https://github.com/golang/go/wiki/SubRepositories" rel="nofollow">https://github.com/golang/go/wiki/SubRepositories</a> and then use <a href="/u/des09" rel="nofollow">/u/des09</a> advice & common sense to vet what is reliable and what is not.</p></pre>des09: <pre><p>Since you haven't had any response to this, I'll take a crack at an answer. Almost all Golang libs are in GitHub, so a quick glance at the open issues, commit history, code, tests, and pulse graphs will tell you a lot about a libraries maintenance. Gokit, and redigo are two examples of libs I vetted this way before deciding to bring them into prod use at work.</p>
<p>Also, Golang libraries tend to be small, and tend to have fewer transitive dependencies than say Java or JavaScript, so it it's quite easy to vet a projects total set of dependencies in this way.</p></pre>carsncode: <pre><p>The standard library covers the vast majority of general-purpose needs. For database drivers, API clients, and so on, at this point you can usually find a stable, official client library for anything in widespread use.</p>
<p>For anything beyond that, there are some stable libs out there, but they're really not necessary. If you do want to import a library, since imports are resolved directly from the source repo, it's really easy to vet them and know what you're getting (unlike, say, npm or nuget, where the package you download doesn't necessarily match what's in the repo).</p>
<p>My general recommendation though would have to be: don't take on dependencies unless you have to. The standard library is very broad, the language is very easy to work with, and personally I think the import-happy culture of NodeJS, .NET, Java, Ruby, and so on is a plague on software development. We're in dire need of a move toward fewer dependencies and better-vetted dependencies.</p></pre>r-_3: <pre><p>libraries to do what? </p></pre>cyberal: <pre><p>Updated question to give examples</p></pre>shazow: <pre><p>+1 to what <a href="/u/des09" rel="nofollow">/u/des09</a> and <a href="/u/mistretzu" rel="nofollow">/u/mistretzu</a> said, but going down your list for fun:</p>
<ul>
<li>authentication/authorization: this depends too much on what you're doing. You might like <a href="https://github.com/avelino/awesome-go#authentication-and-oauth" rel="nofollow">this list</a> for something "out of the box".</li>
<li>messaging: <a href="https://grpc.io/" rel="nofollow">gRPC</a> is all the rage these days.</li>
<li>http2: The standard library http client has some of the best http2 support of any language: <a href="https://golang.org/pkg/net/http/" rel="nofollow">https://golang.org/pkg/net/http/</a></li>
<li>websockets: <a href="https://github.com/gorilla/websocket" rel="nofollow">https://github.com/gorilla/websocket</a> is what most people use</li>
<li>emails: The standard library is pretty decent, but <a href="https://github.com/avelino/awesome-go#email" rel="nofollow">more here</a>.</li>
<li>database clients: Lots of SQL drivers in the standard library: <a href="https://golang.org/pkg/database/sql/" rel="nofollow">https://golang.org/pkg/database/sql/</a>, but also many modern databases are actually written in Go. Depends what you're looking for, lots of things here including ORMs etc: <a href="https://github.com/avelino/awesome-go" rel="nofollow">https://github.com/avelino/awesome-go</a></li>
<li>caching: <a href="https://github.com/golang/groupcache" rel="nofollow">groupcache</a> is surprisingly good, but there are again just too many options for various cases that it's hard to pick one.</li>
<li>distributed configuration management, service discovery clients, scheduling, deploying, monitoring, etc: All the standard modern tooling applies to Go too. Kubernetes is pretty popular these days.</li>
<li>logging, profiling, tracing, etc: Go has some of the best tooling for this right now. Lots of great posts here: <a href="https://rakyll.org/" rel="nofollow">https://rakyll.org/</a> and <a href="https://medium.com/@rakyll" rel="nofollow">https://medium.com/@rakyll</a> </li>
</ul>
<p>Hope this helps.</p></pre>tech_tuna: <pre><p>If I were a CTO, I would make sure that I have a team who could fork and maintain any open source library they used.</p>
<p>I.e. I wouldn't worry about it. </p></pre>i_love_golang: <pre><p>Just be very, very careful. Be sure to code review it! This article was more about JS, but I think many of the same concerns apply here.</p>
<p><a href="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5</a></p></pre>tech_tuna: <pre><p>Yes, that's a good point, but I think OP is more concerned about reliability/quality of the code.</p>
<p>Also, if no one "trusts" the greater Go ecosystem, then it won't grow. </p></pre>kardianos: <pre><p>I hope everyone does who claims to be an engineer reviews* their dependencies, initially and every time they update them.</p>
<p>review*: at least look at each file at least once.</p></pre>i_love_golang: <pre><p>I usually look here to start:
"Awesome Go" - <a href="https://github.com/avelino/awesome-go" rel="nofollow">https://github.com/avelino/awesome-go</a></p>
<p>But remember to code review where it makes sense. This is a real threat everyone should be aware of:
<a href="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" rel="nofollow">https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5</a></p></pre>muesli: <pre><p>There's enough mature Go code out there. You'll have to be a bit more specific, though. What kind of problems are you trying to solve, what frameworks are you looking for?</p></pre>cyberal: <pre><p>I updated the question to try to give a bit more direction. Thanks for pointing it out</p></pre>jmking: <pre><p>How is it that you unilaterally decided on a language without even evaluating the ecosystem, consulting your staff, or even used the language yourself?</p></pre>cyberal: <pre><p>It was a hypothetical questions. I'm not in this situation myself or know of anyone in this situation. </p>
<p>I'm new to the language and i'll be joining a company that uses Go. I realize that I'm not familiar enough with the ecosystem to have an unbiased opinion and therefore i'm asking for information from people who do have the experience.</p>
<p>Would you want to share your opinion on libraries you'd trust your company with?</p></pre>jmking: <pre><p>Hah! I'm sorry - I genuinely thought this was a question from a CTO.</p>
<p>Like others have said, Go ships with a very capable standard library. Depending on the use-case, you may find a shocking few number of dependencies used.</p>
<p>Otherwise, since the vast majority of Go packages exist on Github, the ones with a healthy activity graph, active PR/issue grooming, and recent releases are often a good signal that the project is healthy and actively maintained.</p>
<p>Trying to phrase it as "which would you trust your company with" is the wrong mindset to have when it comes to open source projects. Every time you pick a library to use from the community, you should be comfortable with the idea that you'll need to maintain it going forward. Once it's integrated into your code, it's now your code too.</p>
<p>I know that's probably not what you meant to convey, but I think it's worth raising regardless.</p></pre>endophage: <pre><p>Just a handful of my favorites that are also quite widely used:</p>
<p>Logging: github.com/sirupsen/logrus (it has loads of pluggable integrations to services like splunk, bugsnag, etc...)
Static site builder: github.com/spf13/hugo
CLI commands: github.com/spf13/cobra
Config parsing: github.com/spf13/viper
Testing: github.com/stretchr/testify (I just use the requires package with Go’s built in test runner, it makes for cleaner more readable unit tests)
Database ORM: github.com/jinzhu/gorm (less widely used than the above)</p>
<p>I’ve used gorilla mux for http routing but can’t say I like or dislike it enough to recommend it or warn away from it. </p>
<p>I’ve been using all of the above for coming up on 3 years now so I consider them all pretty mature and stable. </p></pre>cyberal: <pre><p>Thanks for the contribution. If you don't mind me asking:</p>
<p>During those 3 years, how have you seen these libraries evolve? Have they been actively developed or are they already in maintenance mode? How was your experience regarding backwards compatibility when they introduce new features or make architectural changes? Did you have you vet/test many other libraries before you settled on these because they provided what you needed, or you just started with them and they turned out to be okay?</p></pre>endophage: <pre><p>Those libraries have all been well maintained and I've had very few backwards compatibility issues. The most significant change I had to deal with was probably when logrus fully decoupled all its 3rd party integrations (they used to be bundled in the same repo). That though was really a case of hunting down where my particular integrations now lived and updating my vendoring (which was more painful than the code updates, though Go is working to solve vendor/dependency management).</p>
<p>The work from spf13 (who coincidentally is an ex-colleague) tends to be high quality and generally painless to update.</p>
<p>Testify hasn't had any compat issues I can think of in all the time I've used it, but then again, the functionality is so ridiculously simple and straightforward it would be highly unexpected for function signatures or behaviour to change in any externally visible manner.</p></pre>dc0d: <pre><p>Most mature Go based software, are tools, like docker. There are very stable and good (open source) tools too. Like NATS (a pub/sub nervous system) with official clients for many languages. Or CockroachDB, a scalable, PostgreSQL-Compatible database.</p>
<p>But if you are looking for next WordPress or Rails, Go has nothing comparable - in terms of maturity, features and community size of that tool (yet).</p></pre>rbetts: <pre><p>Yeah - look at the dependencies for things like docker, kubernetes, the hashicorp stack -- lots of go software out there that people depend on in production.</p></pre>dc0d: <pre><p>Sorry; I do not understand your comment.</p></pre>rbetts: <pre><p>I was agreeing with your comment that there are a lot of mature go tools like docker. Many of those tools have a lot of dependencies on other packages. Looking at the packages that tools like docker or kubernetes rely on is another way to find utilities that are mature.</p></pre>dc0d: <pre><p>Indeed! Thanks!</p>
<p>But since the work <em>framework</em> is used, I thought it has to be described in more detail especially in the web development area.</p></pre>nilslice: <pre><p>Working towards a wordpress / rails combo replacement in Go: <a href="https://ponzu-cms.org" rel="nofollow">https://ponzu-cms.org</a> -- would love to get some more people contributing so that your answer might be different next time around :)</p></pre>p4r14h: <pre><p>I’d recommend Uber’s stack as well. Tally for metrics, Fx for dependency injection, jaeger for tracing, zap for logging, yarp/tchannel for thrift rpc. </p>
<p>Lots of stuff there and it’s updated regularly. </p></pre>cyberal: <pre><p>Thanks, those might be good examples of libraries that are worth looking into.</p></pre>
