Finding Dependable Go Packages

By Julie Qiu

Elevator Pitch

At some point, we all find ourselves wanting to use a third-party Go package in our Go code. This talk discusses strategies for discovering, evaluating and maintaining Go packages and modules. It also shares new tools that the Go team is building to make this process better.

Description

At some point, we all find ourselves wanting to use a third-party Go package in our Go code. There’s trade-offs to adding any new dependency to our code – how do we figure out the best solution for our needs?

This talk discusses learnings from building the new modules discovery site. It will cover:

What is module discovery and evaluation

  • Why it is important to evaluate dependencies
  • Tools that exist today

What makes a great module

  • Things to check for to determine a module’s quality, popularity and stability

How to discover modules for your application needs

  • What is the modules discovery site
  • How to search for modules
  • How modules are evaluated

By the end of this talk you’ll have the tools needed to discover the right modules for your application!

Notes

Audience Level

Anyone who uses third party Go libraries in their application.

Outline

[1 minute] Intro

  • Who am I

[3 minutes] What is module discovery and evaluation

Why it is important to evaluate dependencies

  • Developers reuse software written by others every day
  • Oftentimes, they don’t examine the software thoroughly
  • Exposing our programs to a dependency can lead to serious risks

Discovery

  • Looking for third party libraries (written by people you likely don’t know) rather than implementing that functionality yourself
  • Resources for Go users today
    • Searching for packages on google
    • Curated lists or blog posts
    • Social Media (Twitter, Reddit, golang-nuts)

Evaluation

  • Determining whether to incorporate those libraries into your application
  • Methods include:
    • Looking at the README and documentation
    • How many users the repository has
  • Tools available today: gocover.io, goreportcard.com, godoc.org

[5 minutes] What makes a great module

  • Quality
    • Measures the code and documentation quality
    • Metrics
      • Does it have a README?
      • Does it have a redistributable license?
      • Does it have tests? What’s the coverage %? Is the build passing?
      • Does it run gofmt? go vet? cocyclo?
      • Does it have documentation?
  • Popularity
    • Measures module adoption by the Go community
    • Metrics
      • Number of dependents (key metric)
      • Number of stars
      • Number of forks
      • Number of subscribers
      • Number of contributors
      • Number of downloads
      • Downloads acceleration
  • Stability
    • Measure how active and healthy the module is
    • Metrics
      • Module follows semver
      • Does not use “unsafe”
      • Release frequency
      • Time to close issues
    • API Stability

[5 minutes] What is the modules discovery site

  • Go introduced modules for dependency management in Go1.11, and will be on by default in Go1.13
  • We want to make it more useful for developers to discover publicly available modules

  • We want to help developers evaluate whether they should rely on a given module or not

  • Modules Discovery Site is a website for developers who need to discover available modules
  • Ability to search for any module available by the module proxy and has a redistributable license
  • Features
    • Full text search for finding modules
    • Ability to view details for a given version of a module, including:
      • Overview (ReadMe, Publish Date, Installation Command)
      • Documentation
      • Version History
      • Dependencies (Includes transitive import graphs that show the set of packages that impose each dependency)
      • Dependents
      • License
  • Tools for evaluating a given module

[8 minutes] Architecture Overview

  • How data is populated for the discovery site
  • How search works
  • How evaluation works

[2 minutes] Conclusions

  • Future Plans for the Discovery Site
    • Make it easier for users to evaluate modules by having the metrics for quality, popularity and stability available on the site
  • The discovery site is open source - come talk to me if you are interested in contributing!

Speaking Experience

  • April 2019: GothamGo, Speaker
  • June 2018: Lead Developer London 2018, Speaker (http://bit.ly/julie-leadev-2018)
  • May 2018: DjancoCon Europe 2018, Speaker (http://bit.ly/julie-djangocon-2018)
  • May 2018: PyCon 2018, Speaker (http://bit.ly/julie-pycon2018)
  • May 2018: PyCon 2018, Tutorial Presenter (http://bit.ly/julie-pycon-tutorial-2018)
  • March 2018: Data Day Mexico, Speaker (http://bit.ly/julie-dataday-2018)
  • Feb 2018: Elastic{ON} 2018, Speaker (http://bit.ly/julie-elasticon-2018)
  • Feb 2018: PyCaribbean2018, Speaker (http://bit.ly/julie-pycaribbean-2018)
  • Jan 2018: DevOpsDays 2018, Speaker (http://bit.ly/julieqiu-devopsdaysnyc2018)