cc @Mic92 @zowoq

It's mildly confusing to have vend point to
nix-community/govendor

IMHO it is more than just mildly confusing.

I am not in favour for the name collision with another Go vendoring tool even if it is abandoned.

It's mildly confusing to have vend point to
nix-community/govendor

IMHO it is more than just mildly confusing.

I am not in favour for the name collision with another Go vendoring tool even if it is abandoned.

Is there maybe a third name not used by anything? How about deepvendor as in deep copy? fullvendor? @zimbatm Help me out here :)

What's the issue with https://github.com/nomad-software/vend, are they not accepting patches?

Unless the project is a complete rewrite, I would keep the same name. It's not great, live with it :-D

If we have to fork it, I would also make sure that the repo is recorded as a fork of upstream for clarity's sake, and add an explanation to the README to explain why we need a long-term fork.

nomad-software/vend@dc54ecb Upstream seems to have implemented their own version of replacements.

What's the issue with nomad-software/vend, are they not accepting patches?

Unless the project is a complete rewrite, I would keep the same name. It's not great, live with it :-D

If we have to fork it, I would also make sure that the repo is recorded as a fork of upstream for clarity's sake, and add an explanation to the README to explain why we need a long-term fork.

The main motivation is to prevent checksum breaks. Upstream does not care about this too much and automatic updates by r-ryantm might introduce silent checksum changes. The tool itself is not overly complex that's why I think maintaining it our self is the better way to not break things in buildGoModule.

automatic updates by r-ryantm might introduce silent checksum changes.

There are a couple of different ways to prevent the bot sending PRs.

In order of importance for me is:

• keep the 1:1 mapping between the repo and package name. It's annoying to go resolve layers of indirections.
• make the fork explicit

I would re-fork upstream into nix-community/vend, rename the repo to nix-community/nixpkgs-vend and update the README with a quick explanation about the fork. And then update nixpkgs and rename the package as well.

I've checked a few packages and the upstream replacements seems to work.

Upstream has also removed fatih/color which was the only dependency. nomad-software/vend@bb65bee

Assuming that the upstream version is suitable for us to use I think we could just pin the version and disable the update bot.

Adding a warning should be sufficient to prevent accidental upgrades in the event someone does try to bump it manually.

Update:

Upstream vend works for the original six packages and only two of them need hash changes.

However it breaks telegraf.

I've checked a few packages and the upstream replacements seems to work.

Upstream has also removed fatih/color which was the only dependency. nomad-software/vend@bb65bee

Assuming that the upstream version is suitable for us to use I think we could just pin the version and disable the update bot.

Adding a warning should be sufficient to prevent accidental upgrades in the event someone does try to bump it manually.

Update:

Upstream vend works for the original six packages and only two of them need hash changes.

However it breaks telegraf.

So the only patch left would be the mod-tidy one? @c00w what is your opinion about having the fork?

Once #95485 is merged telegraf won't require runVend.

I've opened to #95487 switch to upstream.