Question: Why does dep generate two manifests?

[variadico]

Hello.

Why does dep generate manifest.json and lock.json? I'm not a packaging expert, but as a user I'm a little confused because they seem to have very similar information.

manifest.json

{
    "dependencies": {
        "github.com/spf13/cobra": {
            "branch": "master"
        },
        "golang.org/x/crypto": {
            "branch": "master"
        }
    }
}

lock.json

{
    "memo": "172eceebfb9fff13752877d5b1e646fa25d4fd908dd139d9d06de55efa6a539e",
    "projects": [
        {
            "name": "github.com/inconshreveable/mousetrap",
            "branch": "master",
            "revision": "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75",
            "packages": [
                "."
            ]
        },
        {
            "name": "github.com/spf13/cobra",
            "branch": "master",
            "revision": "dc208f4211e7f6df7ec8cb62640f57d3e154910d",
            "packages": [
                "."
            ]
        },
        {
            "name": "github.com/spf13/pflag",
            "branch": "master",
            "revision": "a232f6d9f87afaaa08bafaff5da685f974b83313",
            "packages": [
                "."
            ]
        },
        {
            "name": "golang.org/x/crypto",
            "branch": "master",
            "revision": "40541ccb1c6e64c947ed6f606b8a6cb4b67d7436",
            "packages": [
                "ssh/terminal"
            ]
        },
        {
            "name": "golang.org/x/sys",
            "branch": "master",
            "revision": "d75a52659825e75fff6158388dddc6a5b04f9ba5",
            "packages": [
                "unix"
            ]
        }
    ]
}

It seems like lock.json contains all the information that manifest.json has, and then some. I can definitely see why we don't want to manually edit lock.json, but are we supposed to manually edit manifest.json? Is that why it was pulled out into its own file?

I skimmed through some of the Context documents in the readme, but I didn't see anything that explained this design. Unless I missed something, which totally could have happened.

Anyway, thank you!

[sdboyer]

Hi - totally reasonable question. Briefly - manifest.json describes user intent, and lock.json describes computed outputs. There's flexibility in manifests that isn't present in locks - not super-obvious in yours, but still there, as the "branch": "master" constraint will match whatever revision master HAPPENS to be at right now, whereas the lock is nailed down to a specific revision.

This flexibility is important because it allows us to provide easy commands (e.g. dep ensure -update) that can manage an update process for you, within the constraints you specify, AND because it allows your project, when imported by someone else, to collaboratively specify the constraints for your own dependencies.

There's some more mechanical information in the gps wiki, or a massively discursive explanation in the article I wrote.