Provide a way for easily updating Go dependencies of projects
In legacy/trac#28325 (moved) we are working on enabling
go.mod support for our Go based projects. While that will be an improvement in that we don't need to work around a new default anymore, it does not solve the question how we can easily update all the dependencies of a project and the dependencies of those dependencies. That's the scope for this ticket. Besides legacy/trac#28325 (moved) we should keep in mind that we might want to think about how we want to handle go modules in the future. Right now, we have a project per module in
tor-browser-build. Maybe that's not a smart thing with the growing amount of projects we have. Either way, the solution for this ticket will have an impact on that, so we should take the question about how to handle the module-project relationship into account.
For the dependency update path forward we a bunch of possible options, some already mentioned in legacy/trac#28325 (moved) (in no particular order):
go mod vendorto vendor in the dependencies and then build with
-mod=vendorto use the
vendorfolder with the dependencies.
gomodtorbmscript written by dcf/cohosh (see: legacy/trac#28942 (moved) and legacy/trac#33576 (moved))
go mod downloadto fetch dependencies into the cache and then point, during the build, with
GOPROXYto the cached files (that's feeling similar to what we use for our Gradle dependencies right now).
There might be more than those three.
boklm had a nice idea of restructuring our go projects in a way that we'd only have one
go-module project and we could list all needed dependencies directly in the respective project under
input_files (see: comment:42:ticket:28942). That might be orthogonal to 1) and 3) but might actually help with 2). not sure.