Skip to content

Drop vendoring #4903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bk2204 merged 3 commits into from
Sep 8, 2022
Merged

Drop vendoring #4903

bk2204 merged 3 commits into from
Sep 8, 2022

Conversation

@bk2204
Copy link
Member

@bk2204 bk2204 commented Mar 4, 2022

We currently vendor all dependencies in the repository. This causes a bunch of problems, notably that sometimes these dependencies are out of date, we get security reports about them, and they needlessly bloat the repository. There are some legitimate reasons to vendor dependencies, but none of them really apply to this project.

Since there are few benefits here and several downsides, let's remove the vendor directory altogether. It has already been ignored, so if users would like to use our make vendor target, which remains, they can do so without problems.

There are two preparatory commits here which set us up for proper behavior at the end. I should point out that this pull request removes over 358,000 more lines than it adds, which I believe is a compelling argument in favor of it.

Fixes #4827

@chrisd8088 chrisd8088 mentioned this pull request Apr 25, 2022
Merged
@bk2204
gitignore: ignore the vendor directory
720068b 
We plan to drop vendoring, but we still want to allow people to vendor
data if they'd like to allow them to build offline.  Let's ignore the
vendor directory so that this doesn't make the working tree dirty.
@bk2204
Stop vendoring dependencies
fc95175 
We currently vendor all dependencies in the repository.  This causes a
bunch of problems, notably that sometimes these dependencies are out of
date, we get security reports about them, and they needlessly bloat the
repository.  There are some legitimate reasons to vendor dependencies,
but none of them really apply to this project.

Since there are few benefits here and several downsides, let's remove
the vendor directory altogether.  It has already been ignored, so if
users would like to use our `make vendor` target, which remains, they
can do so without problems.
@bk2204
debian/copyright: remove vendor directory
4505c62 
We're no longer including the `vendor` directory in our tarballs, so
delete the entries in the `debian/copyright` file.
@bk2204 bk2204 marked this pull request as ready for review September 8, 2022 13:38
@bk2204 bk2204 requested a review from a team as a code owner September 8, 2022 13:38
chrisd8088
chrisd8088 approved these changes Sep 8, 2022
View reviewed changes
Copy link
Member

@chrisd8088 chrisd8088 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lovely, thank you! This will save some headaches dealing with security reports that don't actually affect Git LFS, for sure.

@bk2204 bk2204 merged commit 2567883 into git-lfs:main Sep 8, 2022
@bk2204 bk2204 deleted the drop-vendoring branch September 8, 2022 16:02
@holgersson32644 holgersson32644 mentioned this pull request Jul 26, 2023
Closed
QuLogic added a commit to QuLogic/git-lfs that referenced this pull request Jul 31, 2023
@QuLogic
Remove vendoring instructions from contributing docs
23313eb 
The `vendor` directory is `.gitignore`d, and vendoring as a process was
fully removed in git-lfs#4903.
@QuLogic QuLogic mentioned this pull request Jul 31, 2023
Merged
QuLogic added a commit to QuLogic/git-lfs that referenced this pull request Aug 2, 2023
@QuLogic
Remove vendoring instructions from contributing docs
2fdcdfd 
The `vendor` directory is `.gitignore`d, and vendoring as a process was
fully removed in git-lfs#4903.
chrisd8088 added a commit to chrisd8088/git-lfs that referenced this pull request Sep 8, 2023
@chrisd8088
LICENSE.md,Makefile,script: drop stale vendor refs
c6ede15 
In PR git-lfs#4903 we removed use of a "vendor" directory for Go modules,
so we can now drop several references to that directory from our
CI build script and Makefile, and our license documentation.

Note that the "lint" Makefile target was introduced in PR git-lfs#3144
(and then modified in PR git-lfs#3208 when the project adopted Go modules),
and existed to check whether all dependencies outside those from
the Go standard library existed in the "vendor" directory.  At
present, though, the command now finds no dependencies that are
neither in the standard library nor are Go modules, and so is a
no-op which we can simply remove.
chrisd8088 added a commit to chrisd8088/git-lfs that referenced this pull request Nov 24, 2024
@chrisd8088
LICENSE.md: update license years and vendor text
ea0775f 
We last updated our software license in commit
4da6d5f of PR git-lfs#4513 to revise the
current year in our copyright statement to 2021.

As this date is now several years in the past, and because we want to
avoid having to update our license each year, we simply remove the
current year from our license's copyright statement now.

This practice is in keeping with the format we use in the license files
of all our other Git LFS projects, such as in the git-lfs/gitobj and
git-lfs/pktline repositories.  It also aligns with the practice of other
major open-source projects, like that of the source code for the Go
language and standard library.

As well, we add a copyright date of 2009 to the Go project's license
that we include in our main LICENSE.md, alongside the existing 2010
copyright date.  When we first appended the Go project's license to our
license file, in commit 74d5f2397f9abe4834bf1fe1fa02fd6c141b77cea, it was
specifically due to the inclusion of some code into our "subprocess"
package from the Go library's "os/exec" package.  Those original source
files have copyright dates of 2010, which is why we used that date in
our copy of the Go project's license.  For reference, see:

  https://github.com/golang/go/blob/b68f8ca89a2fb6b33d1e78fadc33d1c35693f6b8/src/os/exec/lp_unix.go#L1
  https://github.com/golang/go/blob/b68f8ca89a2fb6b33d1e78fadc33d1c35693f6b8/src/os/exec/lp_windows.go#L1

In commit a662740 of PR git-lfs#4418 we then
revised our license file to note that we also include some code from the
Go library's "os" package in our "tools" package.  The Go source code
in this case has a copyright date of 2009, but we did not update our
license file to reflect this, so we do that now.  For reference, see:

  https://github.com/golang/go/blob/b68f8ca89a2fb6b33d1e78fadc33d1c35693f6b8/src/os/file_windows.go#L1

Finally, in commit fc95175 of PR git-lfs#4903
we removed our "vendor" directory and all the associated copies of our
dependencies from this project.  Our license file still mentions this
directory, though, so we remove that reference now.
@chrisd8088 chrisd8088 mentioned this pull request Nov 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisd8088 chrisd8088 chrisd8088 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Drop vendoring

2 participants

@bk2204 @chrisd8088