November 27, 2019

GRM - a Grim beginning

So I've been writing Go for a while now and one of the major bug bears of mine is the dependency management system in Go, so I've decided to do something about it. If you are not a Go developer or don't write code with lots of dependencies, this is quite an in-depth blog(rant/tutorial), you have been warned.

So for those who are unaware, Go manages its dependencies through Github and Git in general. Normally, I would not take issue with using something that is already there, however my concern comes from one big feature in Git providers, which is this

github.com - danger zone

Yes, that's right, you can delete a repository.

If you don't know the significance of this, don't worry, I'll explain.

When you write software with dependencies, you might depend on packages that also have dependencies. To manage this the software will build a tree of dependencies this enables you to only install the dependencies that you need. The diagram below shows an example of one of these trees.

A graph showing dependencies

So this diagram shows that you have 2 libraries dependent on core, one on Lib1 and then your application depends on the other 2 libraries. But if the author of Lib1 decides that their code is no longer valid, or that they can no longer maintain their code and they hit that delete button, we have a problem. In this case Lib2 will break, and with Lib2 broken, your app also breaks.

This is the problem that GRM is trying to fix, by making versions of a package static and to NEVER be deleted, you can give your application a higher level of assurance.

Currently, I've only just started developing GRM so it's really early stages but hopefully this can solve a problem. I'll blog my progress weekly on a Monday evening(GMT) so stay tuned.