* Posts by jbaruch

2 posts • joined 14 Dec 2018

JFrog to open freebie central repository for Go fans in the new year


Re: (continued)

Go modules are always sources. The mod archive is just a tar.gz of the source files with metadata about it. This format was developed by Russ Cox (one of the creators of Go) and explained in a series of blog posts: https://research.swtch.com/vgo-intro. The modules are part of Go since 1.11, and you can read more about their structure in the official Go documentation: https://github.com/golang/go/wiki/Modules

JFrog tries to help the adoption of Go modules by providing a faster and more reliable way to retrieve Go modules (without taking ownership on the modules themselves) as we believe it is the right solution for Go dependency management problem.


Re: So... trying to replace GitHub?

JFrog doesn’t mean to replace GitHub or claim to be the IP source for the modules. The goal of GoCenter is trifold:

1. Speed up the resolution of modules. Currently, modules are packed on the client (for the most part). The source code is cloned every time the module is requested, packed into an archive and stored on a single computer cache. It could be more efficient: GoCenter caches the archived modules, providing a simple and efficient one file HTTP GET download.

2. Provide immutable cache. Go modules rely on GitHub tags for versioning. While in general case once a tag is created its content won’t change, there are no guarantees for that. Git allows force-push new code under an existing tag, practically allowing retrieval of different code for the same module request over time. This an anti-pattern in dependency management. GoCenter fixes that by locking the content under a version of a module. You will always retrieve the same module that was first cached, regardless of what happens with the tag in GitHub.

3. Provide persistency. People delete content from GitHub. That might lead to non-reproducible build. You used ad dependency once, but now, when you run the same go build from a different machine it fails because Go won’t be able to download the sources of the dependency as it was deleted. GoCenter fixes that by caching the modules forever.

You can find more on the relationship between the module sources in GitHub and GoCenter and on the benefits we provide in our FAQ: https://jfrog.com/gocenter/


Biting the hand that feeds IT © 1998–2020