The need for a Go registry
What was missing in the Go ecosystem was standardization – there wasn’t a standard tool for dependency management, and there wasn’t a standard package format or compatible registry specification. This meant that developers could not create reproducible builds with Go which was quite an issue. Over the years, tools such as dep, godep, glide and govendor entered the scene to handle Go dependency management, but none of these offered an acceptable solution for managing immutable Go packages in an internal Go registry or for setting up a go proxy for remote Go packages. The good news is that Google eventually stepped in and solved the issue once and for all by adding versioning support for Go with vgo.
Vgo is the proposed official standard dependency management tool and registry specification for Go. While not yet included in the official Go tools set, it is poised to be the standard dependency manager distributed with each Go release.
Artifactory Go Registries and go proxy
The recent release of Artifactory 5.11 added support for vgo-compatible Go registries (and go proxy) giving the community a variety of capabilities when developing with Go. Here are just a few of them:
- Local repositories in Artifactory let you set up secure, private Go registries with fine-grained access control to packages according to projects or development teams.
- A remote repository in Artifactory is a caching proxy for remote Go resources such as a GitHub project. Accessing a go proxy through Artifactory removes your dependency on the network, or on GitHub since all dependencies needed for your Go builds are cached in Artifactory and are therefore locally available. This also removes the risk of someone mutating or removing a dependency from version control, or worse, force-pushing changes to a remote Git tag thus changing what should be an immutable version which can create a lot of confusion and instability for dependant projects.
- A virtual repository aggregates both local and remote Go registries giving you access to all Go resources needed for your builds from a single URL, hiding the complexity of using a combination of both local and remote resources.
- Enterprise-grade features
- Multiple layers of security to manage authentication, access control and data privacy
- Support for massive scalability, both in terms of number of users and volume of Go packages being stored
- High-availability for extremely robust installations
- Support for any multi-site topology through a variety of repository replication capabilities
Building Go projects with JFrog CLI and Vgo
JFrog’s solution for Go fills in a few gaps that currently exist in the vgo CLI. JFrog CLI wraps vgo and adds additional capabilities with simple commands like:
jfrog rt go build
jfrog rt go-publish
You can build your Go projects while resolving dependencies through Artifactory, and then publish the resulting Go packages into a secure, private Go registry (i.e., a local Go repository) in Artifactory.
As Go and vgo evolve, so will Artifactory
As vgo continues to evolve, so will JFrog Artifactory and JFrog CLI, maintaining a high level of support for the Go development community.
Wanna give it a try?
You can build this sample project freely available on GitHub.