<p>By library I mean a set of packages that don't have a main package. If your library depends on a particular version of a third party package then should you vendor it in your library's repository?</p>
<hr/>**评论:**<br/><br/>kardianos: <pre><p>If the consumers of the library repo all use a tool to "flatten" the vendor tree, then by all means, please vendor the library's dependencies.</p>
<p>If your consumers of the library just use "go get", then you may want to hold off now checking them in them. It may still be worthwhile to copy locally and check-in dependencies that are purely used within your project, are not exposed in any API, and where a duplicate package won't hurt anything.</p>
<p>Even if you don't check in your source code, you could still include a meta-data file that can pull down the exact versions you used so you can test with consistent revisions and people who use a compatible tool can also be offered those revisions. If you use govendor (github.com/kardianos/govendor) this would be equivalant to vendoring your deps, but then adding "vendor/*/" gob to the ignore file. This will check in the meta-data file but leave the dep sources. Then you can run "govendor sync" to pull in those exact revisions.</p></pre>jonbonazza: <pre><p>Convention is that you do not vendor dependencies for libraries. If an app pulls in a library, the vendoring tool (e.g godep) should vendor transitive dependencies as well. </p></pre>nicerobot: <pre><p>I wrote <a href="https://github.com/nicerobot/git-freeze" rel="nofollow">git-freeze</a> to facilitate this. It defaults to supporting submodules but can also utilize subtrees. Here's a <a href="https://www.reddit.com/r/golang/comments/492w0u/do_you_like_go_get_want_to_vendor_your_code/" rel="nofollow">discussions of using this technique</a>.</p></pre>kardianos: <pre><p>Question: The author specifically mentions vendoring for "library" repos, if you use "git-freeze" on a "library", won't that make it impossible for importers of the library to use the same transitive dependencies? (In other words, it won't flatten them.) If true, that is my biggest issue when someone suggests git submodules as a generic way to handle the vendoring.</p>
<p>I do see how submodules could be useful for an end product with limited scope where all dependencies are in git. But I don't see it as a general solution.</p>
<p>Am I missing something or is that approximately correct? I'd like to adjust my thinking if I'm wrong.</p></pre>nicerobot: <pre><p>All dependencies don't have to be git repositories, just able to be submoduled by git, which includes bzr and hg. Additionally, <code>git-freeze</code>allows subtrees instead of submodules.</p>
<p>If by "transitive dependencies" you mean <code>A -> B -> C</code> and <code>A -> C</code>, and you want both <code>C</code> libraries to be the same, that's a horrible idea. It's only slightly acceptable if you own all the libraries involved. If you don't own <code>B</code>, then you have no idea what version of <code>C</code> <code>B</code> imports. The entire reason for using vendor is isolation.</p>
<p>If you don't want the isolation provided by vendoring, simply don't vendor and keep some or all of your libraries "flat" in GOPATH. The two are not mutually exclusive.</p>
<p>I've used submodules to manage dependencies to great effect since Go 1.2. <code>git-freeze</code> is just a formalized version of this proven solution.</p></pre>
