Now that Go v1.13 is stable we have a much more powerful v2 modules that can fully replace GOPATH and vendoring while still providing security through checksumming.
As such, let's use this thread to discuss the pros/cons of a complete switch to modules, removing vendoring. I'll start:
- Cleaner and smaller tree, dependency code not part of repo anymore.
- Dependencies can be added+upgraded easier, single version change instead of large commits + PRs.
- More modern, encouraged way of handling deps in Go.
- Better tooling: Dependency + Security Vulnerability bots, etc.
- Much slower build if Go module support is disabled, since dependencies have to be git-cloned to GOPATH. Risk for malicious code injection since GOPATH doesn't do checksumming.
- Module v2 builds only supported in Go 1.13+, which is not bundled in most system repositories yet.
I will start a few branches with different module layouts in the coming days. Let's see how it turns out.