maybe, undesired dependency update after glide get

[mh-cbon]

Hi,

It looks likes glide undesirably updated a dependency after i did a glide get.

This is the command i ran,

glide get github.com/Masterminds/semver
[INFO]  Preparing to install 1 package.
[INFO]  Attempting to get package github.com/Masterminds/semver
[INFO]  --> Gathering release information for github.com/Masterminds/semver
[INFO]  The package github.com/Masterminds/semver appears to have Semantic Version releases (http://semver.org). 
[INFO]  The latest release is v1.1.1. You are currently not using a release. Would you like
[INFO]  to use this release? Yes (Y) or No (N)
y
[INFO]  The package github.com/Masterminds/semver appears to use semantic versions (http://semver.org).
[INFO]  Would you like to track the latest minor or patch releases (major.minor.patch)?
[INFO]  Tracking minor version releases would use '>= 1.1.1, < 2.0.0' ('^1.1.1'). Tracking patch version
[INFO]  releases would use '>= 1.1.1, < 1.2.0' ('~1.1.1'). For more information on Glide versions
[INFO]  and ranges see https://glide.sh/docs/versions
[INFO]  Minor (M), Patch (P), or Skip Ranges (S)?
m
[INFO]  --> Adding github.com/Masterminds/semver to your configuration with the version ^1.1.1
[INFO]  Downloading dependencies. Please wait...
[INFO]  --> Fetching updates for github.com/mh-cbon/verbose.
[INFO]  --> Fetching updates for github.com/urfave/cli.
[INFO]  --> Fetching updates for github.com/mattn/go-zglob.
[INFO]  --> Fetching updates for github.com/Masterminds/semver.
[INFO]  Resolving imports
[INFO]  --> Detected semantic version. Setting version for github.com/mh-cbon/verbose to 0.0.2.
[INFO]  --> Fetching updates for github.com/fatih/color.
[INFO]  --> Fetching updates for github.com/mattn/go-colorable.
[INFO]  --> Fetching updates for github.com/mattn/go-isatty.
[INFO]  --> Fetching updates for golang.org/x/sys.
[INFO]  Downloading dependencies. Please wait...
[INFO]  --> Detected semantic version. Setting version for github.com/Masterminds/semver to v1.1.1.
[INFO]  --> Detected semantic version. Setting version for github.com/urfave/cli to v1.18.0.

this is the glide.yaml diff

$ git diff glide.yaml
diff --git a/glide.yaml b/glide.yaml
index 6c5cdcd..d63b366 100644
--- a/glide.yaml
+++ b/glide.yaml
@@ -17,3 +17,5 @@ import:
 - package: github.com/urfave/cli
   version: ^1.18.0
 - package: github.com/mattn/go-zglob
+- package: github.com/Masterminds/semver
+  version: ^1.1.1

this is the glide.lock diff

$ git diff glide.lock
diff --git a/glide.lock b/glide.lock
index 21571de..aa48b5c 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,8 +1,10 @@
-hash: f13d025302de659ff3f6b83d7c40d2ecfb90846461991d59aaafc27464c14bf2
-updated: 2016-07-14T12:56:25.780034878+02:00
+hash: 812cf854fcb511eca099ae87bfe7efa094f02fb883409bfd65ef3b47ba62bfe2
+updated: 2016-07-23T12:28:34.180022464+02:00
 imports:
 - name: github.com/fatih/color
   version: 87d4004f2ab62d0d255e0a38f1680aa534549fe3
+- name: github.com/Masterminds/semver
+  version: 8d0431362b544d1a3536cca26684828866a7de09
 - name: github.com/mattn/go-colorable
   version: 9cbef7c35391cca05f15f8181dc0b18bc9736dbb
 - name: github.com/mattn/go-isatty
@@ -17,7 +19,7 @@ imports:
 - name: github.com/urfave/cli
   version: 1efa31f08b9333f1bd4882d61f9d668a70cd902e
 - name: golang.org/x/sys
-  version: b518c298ac9dc94b6ac0757394f50d10c5dfa25a
+  version: a646d33e2ee3172a661fc09bca23bb4889a41bc8
   subpackages:
   - unix
 testImports: []

I added semver to my dependencies, and i got golang.org/x/sys updated.
You can check the commits here, the dependency was updated to latest commit.

I see no obvious reason to update it, semver does not rely on it, others dependency already known at that time did not change.

My understanding is that because there is no versions on golang.org/x/sys, glide always take latest when it updates.

I advocate this behavior is probably not desirable when a commit is already set.
Yesterday i faced the same problem with another repo, another dependency, this is the problematic commit.
It was relying on https://github.com/google/go-github, this repo does not use any version, and recently they implemented a breaking change see this change.

Because glide fetched the latest commit, my build did not work anymore.

Some thoughts about that,
If one of the versioned dependency explicitly set a revision commit, i guess glide should follow it, and hang in case of diamond situation.
The dependency does not use version, is yet unknown in the dependency graph, take latest.
The dependency is already known in the dependency graph, via glide.lock for example, it should not be changed unless a commit is explicitly set by one dependency.

[diabloneo]

I agree with @mh-cbon. I expect glide get only add the specific package rather than update all already installed packages.

[technosophos]

Yeah, we need to find a sensible way to determine which things to update on glide get. We've taken the most basic approach (regarding dependency resolution) that we'd try to get the latest of any un-pinned packages (e.g. those that don't have a version: specified in glide.yaml), but we should probably get more conservative than that.

I'm not sure whether to wait for @sdboyer 's resolver change or whether to try to do this before that. Thoughts, @sdboyer?

[sdboyer]

(the issue I usually refer wrt this problem is #252. it's the same basic underlying issue, even though it's not glide get. #328 is also in the family)

@technosophos It's hard to say. On the one hand, I'm honestly not sure how difficult it would be to control this in glide as-is. My guess would be that it might be fairly gnarly, but it could be reasonably straightforward.

On the other, gps is pretty close now. (Like, I-could-actually-use-some, y'know, help-level-of-close 😄 ). As I explained on the main PR, I have two things left in my "MVP" milestone, which is my basic guess about what's necessary.

Personally, I'd prefer to see the effort that would go into solving this maybe-knotty problem instead invested in getting gps integrated. (And, hey, there's great docs!)