Skip to content
This repository has been archived by the owner on Sep 9, 2020. It is now read-only.

Question: Why does dep generate two manifests? #281

Closed
variadico opened this issue Mar 4, 2017 · 1 comment
Closed

Question: Why does dep generate two manifests? #281

variadico opened this issue Mar 4, 2017 · 1 comment

Comments

@variadico
Copy link

Hello.

Why does dep generate manifest.json and lock.json? I'm not a packaging expert, but as a user I'm a little confused because they seem to have very similar information.

manifest.json

{
    "dependencies": {
        "github.com/spf13/cobra": {
            "branch": "master"
        },
        "golang.org/x/crypto": {
            "branch": "master"
        }
    }
}

lock.json

{
    "memo": "172eceebfb9fff13752877d5b1e646fa25d4fd908dd139d9d06de55efa6a539e",
    "projects": [
        {
            "name": "github.com/inconshreveable/mousetrap",
            "branch": "master",
            "revision": "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75",
            "packages": [
                "."
            ]
        },
        {
            "name": "github.com/spf13/cobra",
            "branch": "master",
            "revision": "dc208f4211e7f6df7ec8cb62640f57d3e154910d",
            "packages": [
                "."
            ]
        },
        {
            "name": "github.com/spf13/pflag",
            "branch": "master",
            "revision": "a232f6d9f87afaaa08bafaff5da685f974b83313",
            "packages": [
                "."
            ]
        },
        {
            "name": "golang.org/x/crypto",
            "branch": "master",
            "revision": "40541ccb1c6e64c947ed6f606b8a6cb4b67d7436",
            "packages": [
                "ssh/terminal"
            ]
        },
        {
            "name": "golang.org/x/sys",
            "branch": "master",
            "revision": "d75a52659825e75fff6158388dddc6a5b04f9ba5",
            "packages": [
                "unix"
            ]
        }
    ]
}

It seems like lock.json contains all the information that manifest.json has, and then some. I can definitely see why we don't want to manually edit lock.json, but are we supposed to manually edit manifest.json? Is that why it was pulled out into its own file?

I skimmed through some of the Context documents in the readme, but I didn't see anything that explained this design. Unless I missed something, which totally could have happened.

Anyway, thank you!

@sdboyer
Copy link
Member

sdboyer commented Mar 4, 2017

Hi - totally reasonable question. Briefly - manifest.json describes user intent, and lock.json describes computed outputs. There's flexibility in manifests that isn't present in locks - not super-obvious in yours, but still there, as the "branch": "master" constraint will match whatever revision master HAPPENS to be at right now, whereas the lock is nailed down to a specific revision.

This flexibility is important because it allows us to provide easy commands (e.g. dep ensure -update) that can manage an update process for you, within the constraints you specify, AND because it allows your project, when imported by someone else, to collaboratively specify the constraints for your own dependencies.

There's some more mechanical information in the gps wiki, or a massively discursive explanation in the article I wrote.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants