25 votesRobert J. Berger commented
Unfortunately the Go community seems to be in total flux about this (for example: https://groups.google.com/forum/#!topic/go-package-management/mC8KvBzezR0 and https://groups.google.com/forum/#!topic/go-package-management/Gi-QjYZtV0Y and section 7 of http://talks.golang.org/2012/splash.article).
There is an effort to come up with a Vendor Spec: https://github.com/kardianos/vendor-spec
In then end though you will probably have to recurse thru the code and read the import statements. Of course Golang doesn't believe in versioning so there is no version info there. Import statements always pull from master(!).
Personally that is enough for me to never use Go, but developers on our team are using it and don't understand why not having versioned dependencies is insane for most use cases outside of Google. So I'm looking for help in managing it.
Tried using Godeps and discovered it still makes it really hard to do isolated project based deployments without doing rewrites of source code's import statements(!) or checking in all vendored dependencies to the projects' git repo. It also does not have the option of mixing pinned dependencies and non-pinned versions. If its listed in Godeps it has to have a SHA listed.
Trying Gom (https://github.com/mattn/gom) now which is pretty close to Bundler, but its really outside of the Go community's techno-political bounds, so it probably is not a popular choice.Robert J. Berger supported this idea ·Robert J. Berger commented