@@ -7,40 +7,17 @@
## Dep
-`dep` is a prototype dependency management tool for Go. It requires Go 1.8 or newer to compile.
+`dep` is a prototype dependency management tool for Go. It requires Go 1.8 or newer to compile. **`dep` is safe for production use.**
`dep` is the official _experiment_, but not yet the official tool. Check out the [Roadmap](https://github.com/golang/dep/wiki/Roadmap) for more on what this means!
-## Current status
+For guides and reference materials about `dep`, see [the documentation](https://golang.github.io/dep).
-`dep` is safe for production use. That means two things:
+## Installation
-* Any valid metadata file (`Gopkg.toml` and `Gopkg.lock`) will be readable and considered valid by any future version of `dep`.
-* The CLI UI is mostly stable. `dep init` and `dep ensure` are mostly set; `dep status` is likely to change a fair bit, and `dep prune` is [going to be absorbed into `dep ensure`](https://github.com/golang/dep/issues/944).
+It is strongly recommended that you use a released version. Release binaries are available on the [releases](https://github.com/golang/dep/releases) page.
-That said, keep in mind the following:
-
-* `dep init` on an existing project can be a rocky experience - we try to automatically convert from other tools' metadata files, and that process is often complex and murky. Once your project is converted and you're using `dep ensure`, its behavior is quite stable.
-* `dep` still has nasty bugs, but in general these are comparable to or fewer than other tools out there.
-* `dep` is [pretty slow right now](https://github.com/golang/dep/blob/master/docs/FAQ.md#why-is-dep-slow), especially on the first couple times you run it. Just know that there is a _lot_ of headroom for improvement, and work is actively underway.
-* `dep` is still changing rapidly. If you need stability (e.g. for CI), it's best to rely on a released version, not tip.
-* `dep`'s exported API interface will continue to change in unpredictable, backwards-incompatible ways until we tag a v1.0.0 release.
-
-## Context
-
-- [The Saga of Go Dependency Management](https://blog.gopheracademy.com/advent-2016/saga-go-dependency-management/)
-- Official Google Docs
- - [Go Packaging Proposal Process](https://docs.google.com/document/d/18tNd8r5DV0yluCR7tPvkMTsWD_lYcRO7NhpNSDymRr8/edit)
- - [User Stories](https://docs.google.com/document/d/1wT8e8wBHMrSRHY4UF_60GCgyWGqvYye4THvaDARPySs/edit)
- - [Features](https://docs.google.com/document/d/1JNP6DgSK-c6KqveIhQk-n_HAw3hsZkL-okoleM43NgA/edit)
- - [Design Space](https://docs.google.com/document/d/1TpQlQYovCoX9FkpgsoxzdvZplghudHAiQOame30A-v8/edit)
-- [Frequently Asked Questions](docs/FAQ.md)
-
-## Setup
-
-Grab the latest binary from the [releases](https://github.com/golang/dep/releases) page.
-
-On macOS you can install or upgrade to the latest released version with Homebrew:
+On MacOS you can install or upgrade to the latest released version with Homebrew:
```sh
$ brew install dep
@@ -53,217 +30,12 @@ If you're interested in hacking on `dep`, you can install via `go get`:
go get -u github.com/golang/dep/cmd/dep
```
-To start managing dependencies using dep, run the following from your project's root directory:
-
-```sh
-$ dep init
-```
-
-This does the following:
-
-1. Look for [existing dependency management files](docs/FAQ.md#what-external-tools-are-supported) to convert
-1. Check if your dependencies use dep
-1. Identify your dependencies
-1. Back up your existing `vendor/` directory (if you have one) to
-`_vendor-TIMESTAMP/`
-1. Pick the highest compatible version for each dependency
-1. Generate [`Gopkg.toml`](docs/Gopkg.toml.md) ("manifest") and `Gopkg.lock` files
-1. Install the dependencies in `vendor/`
-
-## Usage
-
-There is one main subcommand you will use: `dep ensure`. `ensure` first checks that `Gopkg.lock` is consistent with `Gopkg.toml` and the `import`s in your code. If any
-changes are detected, `dep`'s solver works out a new `Gopkg.lock`. Then, `dep` checks if the contents of `vendor/` are what `Gopkg.lock` (the new one if applicable, else the existing one) says it should be, and rewrites `vendor/` as needed to bring it into line.
-
-In essence, `dep ensure` [works in two phases to keep four buckets of state in sync](https://youtu.be/5LtMb090AZI?t=20m4s):
-
-
-
-
-_Note: until we ship [vendor verification](https://github.com/golang/dep/issues/121), we can't efficiently perform the `Gopkg.lock` <-> `vendor/` comparison, so `dep ensure` unconditionally regenerates all of `vendor/` to be safe._
-
-`dep ensure` is safe to run early and often. See the help text for more detailed
-usage instructions.
-
-```sh
-$ dep help ensure
-```
-
-### Installing dependencies
-
-(if your `vendor/` directory isn't [checked in with your code](docs/FAQ.md#should-i-commit-my-vendor-directory))
-
-
-
-```sh
-$ dep ensure
-```
-
-If a dependency already exists in your `vendor/` folder, dep will ensure it
-matches the constraints from the manifest. If the dependency is missing from
-`vendor/`, the latest version allowed by your manifest will be installed.
-
-### Adding a dependency
-
-```sh
-$ dep ensure -add github.com/foo/bar
-```
-
-This adds a version constraint to your `Gopkg.toml`, and updates `Gopkg.lock` and `vendor/`. Now, import and use the package in your code! â¨
-
-`dep ensure -add` has some subtle behavior variations depending on the project or package named, and the state of your tree. See `dep ensure -examples` for more information.
-
-### Changing dependencies
-
-If you want to:
-
-* Change the allowed `version`/`branch`/`revision`
-* Switch to using a fork
-
-for one or more dependencies, do the following:
-
-1. Manually edit your `Gopkg.toml`.
-1. Run
-
- ```sh
- $ dep ensure
- ```
-
-### Checking the status of dependencies
-
-Run `dep status` to see the current status of all your dependencies.
-
-```sh
-$ dep status
-PROJECT CONSTRAINT VERSION REVISION LATEST
-github.com/Masterminds/semver branch 2.x branch 2.x 139cc09 c2e7f6c
-github.com/Masterminds/vcs ^1.11.0 v1.11.1 3084677 3084677
-github.com/armon/go-radix * branch master 4239b77 4239b77
-```
-
-On top of that, if you have added new imports to your project or modified `Gopkg.toml` without running `dep ensure` again, `dep status` will tell you there is a mismatch between `Gopkg.lock` and the current status of the project.
-
-```sh
-$ dep status
-Lock inputs-digest mismatch due to the following packages missing from the lock:
-
-PROJECT MISSING PACKAGES
-github.com/Masterminds/goutils [github.com/Masterminds/goutils]
-
-This happens when a new import is added. Run `dep ensure` to install the missing packages.
-```
-
-As `dep status` suggests, run `dep ensure` to update your lockfile. Then run `dep status` again, and the lock mismatch should go away.
-
-### Visualizing dependencies
-
-Generate a visual representation of the dependency tree by piping the output of `dep status -dot` to [graphviz](http://www.graphviz.org/).
-#### Linux
-```
-$ sudo apt-get install graphviz
-$ dep status -dot | dot -T png | display
-```
-#### MacOS
-```
-$ brew install graphviz
-$ dep status -dot | dot -T png | open -f -a /Applications/Preview.app
-```
-#### Windows
-```
-> choco install graphviz.portable
-> dep status -dot | dot -T png -o status.png; start status.png
-```
-
-
-### Updating dependencies
-
-Updating brings the version of a dependency in `Gopkg.lock` and `vendor/` to the latest version allowed by the constraints in `Gopkg.toml`.
-
-You can update just a targeted subset of dependencies (recommended):
-
-```sh
-$ dep ensure -update github.com/some/project github.com/other/project
-$ dep ensure -update github.com/another/project
-```
-
-Or you can update all your dependencies at once:
-
-```sh
-$ dep ensure -update
-```
-
-"Latest" means different things depending on the type of constraint in use. If you're depending on a `branch`, `dep` will update to the latest tip of that branch. If you're depending on a `version` using [a semver range](#semantic-versioning), it will update to the latest version in that range.
-
-### Removing dependencies
-
-1. Remove the `import`s and all usage from your code.
-1. Remove `[[constraint]]` rules from `Gopkg.toml` (if any).
-1. Run
-
- ```sh
- $ dep ensure
- ```
-
-### Testing changes to a dependency
-
-Making changes in your `vendor/` directory directly is not recommended, as dep
-will overwrite any changes. Instead:
-
-1. Delete the dependency from the `vendor/` directory.
-
- ```sh
- rm -rf vendor/
- ```
-
-1. Add that dependency to your `GOPATH`, if it isn't already.
-
- ```sh
- $ go get
- ```
-
-1. Modify the dependency in `$GOPATH/src/`.
-1. Test, build, etc.
-
-Don't run `dep ensure` until you're done. `dep ensure` will reinstall the
-dependency into `vendor/` based on your manifest, as if you were installing from
-scratch.
-
-This solution works for short-term use, but for something long-term, take a look
-at [virtualgo](https://github.com/GetStream/vg).
-
-To test out code that has been pushed as a new version, or to a branch or fork,
-see [changing dependencies](#changing-dependencies).
-
-## Semantic Versioning
-
-`dep ensure` uses an external [semver library](https://github.com/Masterminds/semver) to interpret the version constraints you specify in the manifest. The comparison operators are:
-
-* `=`: equal
-* `!=`: not equal
-* `>`: greater than
-* `<`: less than
-* `>=`: greater than or equal to
-* `<=`: less than or equal to
-* `-`: literal range. Eg: 1.2 - 1.4.5 is equivalent to >= 1.2, <= 1.4.5
-* `~`: minor range. Eg: ~1.2.3 is equivalent to >= 1.2.3, < 1.3.0
-* `^`: major range. Eg: ^1.2.3 is equivalent to >= 1.2.3, < 2.0.0
-* `[xX*]`: wildcard. Eg: 1.2.x is equivalent to >= 1.2.0, < 1.3.0
-
-You might, for example, include a constraint in your manifest that specifies `version = "=2.0.0"` to pin a dependency to version 2.0.0, or constrain to minor releases with: `version = "2.*"`. Refer to the [semver library](https://github.com/Masterminds/semver) documentation for more info.
-
-**Note**: When you specify a version *without an operator*, `dep` automatically uses the `^` operator by default. `dep ensure` will interpret the given version as the min-boundary of a range, for example:
-
-* `1.2.3` becomes the range `>=1.2.3, <2.0.0`
-* `0.2.3` becomes the range `>=0.2.3, <0.3.0`
-* `0.0.3` becomes the range `>=0.0.3, <0.1.0`
-
## Feedback
Feedback is greatly appreciated.
At this stage, the maintainers are most interested in feedback centered on the user experience (UX) of the tool.
Do you have workflows that the tool supports well, or doesn't support at all?
Do any of the commands have surprising effects, output, or results?
-Please check the existing issues and [FAQ](docs/FAQ.md) to see if your feedback has already been reported.
If not, please file an issue, describing what you did or wanted to do, what you expected to happen, and what actually happened.
## Contributing
diff --git a/docs/FAQ.md b/docs/FAQ.md
index e9acbb61c2..f588d477c5 100644
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@@ -1,10 +1,8 @@
-# FAQ
+---
+title: FAQ
+---
-_The first rule of FAQ is don't bikeshed the FAQ, leave that for
-[Create structure for managing docs](https://github.com/golang/dep/issues/331)._
-
-Please contribute to the FAQ! Found an explanation in an issue or pull request helpful?
-Summarize the question and quote the reply, linking back to the original comment.
+The FAQ predated the introduction of the rest of the documentation. If something in here conflicts with other guides or reference documents, it's probably here that it's wrong - please file a PR!
## Concepts
* [Does `dep` replace `go get`?](#does-dep-replace-go-get)
@@ -284,7 +282,7 @@ There's another major performance issue that's much harder - the process of pick
## How does `dep` handle symbolic links?
> because we're not crazy people who delight in inviting chaos into our lives, we need to work within one `GOPATH` at a time.
--[@sdboyer in #247](https://github.com/golang/dep/pull/247#issuecomment-284181879)
+> -[@sdboyer in #247](https://github.com/golang/dep/pull/247#issuecomment-284181879)
Out of convenience, one might create a symlink to a directory within their `GOPATH/src`, e.g. `ln -s ~/go/src/github.com/user/awesome-project ~/Code/awesome-project`.
diff --git a/docs/Gopkg.lock.md b/docs/Gopkg.lock.md
new file mode 100644
index 0000000000..c68fdc0128
--- /dev/null
+++ b/docs/Gopkg.lock.md
@@ -0,0 +1,86 @@
+---
+title: Gopkg.lock
+---
+
+The `Gopkg.lock` file is generated by `dep ensure` and `dep init`. It is the output of [the solving function](ensure-mechanics.md#functional-flow): a transitively complete snapshot of a project's dependency graph, expressed as a series of `[[project]]` stanzas. That means:
+
+* Every package a project needs to compile
+* Plus any [`required`](Gopkg.toml.md#required) packages
+* Less any [`ignored`](Gopkg.toml.md#ignored) packages
+
+`Gopkg.lock` also contains some metadata about the algorithm used to arrive at the final graph, under `[solve-meta]`.
+
+`Gopkg.lock` always includes a `revision` for all listed dependencies, as the semantics of `revision` guarantee them to be immutable. Thus, the `Gopkg.lock` acts as a reproducible build list - as long as the upstream remains available, all dependencies can be precisely reproduced.
+
+`Gopkg.lock` is autogenerated; editing it manually is generally an antipattern. If there is a goal you can only achieve by hand-editing `Gopkg.lock`, it is at least a feature request, and likely a bug.
+
+## `[[project]]`
+
+The dependency graph is expressed as a series of `[[project]]` stanzas, each representing a single dependency project. A given project can only appear once in the list, and the version information expressed about them encompasses all contained packages - it is not possible to have multiple packages from a single project at different versions.
+
+These are all the properties that can appear in a `[[project]]` stanza, and whether or not they are guaranteed to be present/must be present for a stanza to be valid.
+
+| **Property** | **Always present?** |
+| ------------ | ------------------- |
+| `name` | Y |
+| `packages` | Y |
+| `source` | N |
+| `revision` | Y |
+| `version` | N |
+| `branch` | N |
+
+### `name`
+
+The project to which the stanza applies, as identified by its [project root](glossary.md#project-root).
+
+### `source`
+
+If present, it indicates the upstream source from which the project should be retrieved. It has the same properties as [`source` in `Gopkg.toml`](Gopkg.toml.md#source).
+
+### `packages`
+
+A complete list of directories from within the source that dep determined to be necessary for the build.
+
+In general, this is the set of packages that were found to be participants in the package import graph, through at least one but as many as all of the following mechanisms:
+
+* Being in the current project's [`required`](Gopkg.toml.md#required) list
+* Being imported by a package from either the current project or a different dependency
+* Being imported by a package from within this project that, directly or transitively, is imported by a package from a different project
+
+### Version information: `revision`, `version`, and `branch`
+
+In order to provide reproducible builds, it is an absolute requirement that every project stanza contain a `revision`, no matter what kinds of constraints were encountered in `Gopkg.toml` files. It is further possible that exactly one of either `version` or `branch` will _additionally_ be present.
+
+When one of the other two are present, the `revision` is understood to be the underlying, immutable identifier that corresponded to that `version` or `branch` _at the time when the `Gopkg.lock` was written_.
+
+## `[solve-meta]`
+
+Metadata contained in this section tells us about the algorithm that was used to generate the `Gopkg.lock` file. These are very coarse indicators, primarily used to trigger a re-evaluation of the lock when it might have become invalid, as well as warn a team when its members are using algorithms with potentially subtly different effects.
+
+More details on "analyzer" and "solver" follow, but the versioning principle is the same: algorithmic changes that result in a decrease to the set of acceptable solutions for at least one input set generally require a version bump, while changes that increase the size of that set do not. However, this is not a formal definition; we leave room for judgment calls on small changes and bug fixes, and we bump at most once per release.
+
+By bumping versions only on solution set contractions, but not expansions, it allows us to avoid having to bump constantly (which could make using dep across teams awkward), while still making it likely that when the solver and version numbers match between `Gopkg.lock` and a running version of dep, what's recorded in the file is acceptable by the running version's rules.
+
+### `analyzer-name` and `analyzer-version`
+
+The analyzer is an internal dep component responsible for interpreting the contents of `Gopkg.toml` files, as well as metadata files from any tools dep knows about: `glide.yaml`, `vendor.json`, etc.
+
+The analyzer is named because the dep needs to identify itself to its engine, gps (`github.com/golang/dep/gps`); gps knows nothing about dep. The analyzer version is bumped when something in the analyzer's logic begins treating data that it already accepted in a significantly different way, or stops accepting a particular class of data. It is _not_ changed when support for entirely new types of data are added.
+
+For example, if dep's analyzer stopped supporting automated conversions from glide, then that would not require bumping the analyzer version, as doing so makes _more_ solutions possible. Adding support for converting from a new tool, or changing the interpretation of `version` fields in `Gopkg.toml` so that it was only allowed to specify minimum versions, would entail a version bump.
+
+### `solver-name` and `solver-version`
+
+The solver is the algorithm behind [the solving function](ensure-mechanics.md#functional-flow). It selects all the versions that ultimately appear in `Gopkg.lock` by finding a combination that satisfies all the rules, including those from `Gopkg.toml` (fed to the solver by the analyzer).
+
+The solver is named because, like the analyzer, it is pluggable; an alternative algorithm could be written that applies different rules to achieve the same goal. The one dep uses, "gps-cdcl", is named after [the general class of SAT solving algorithm it most resembles](https://en.wikipedia.org/wiki/Conflict-Driven_Clause_Learning), though the algorithm is actually a specialized, domain-specific [SMT solver](https://en.wikipedia.org/wiki/Satisfiability_modulo_theories).
+
+The same general principles of version-bumping apply to the solver version: if the solver starts enforcing [Go 1.4 import path comments](https://golang.org/cmd/go/#hdr-Import_path_checking), that entails a bump, because it can only narrow the solution set. If it were to later relax that requirement, it would not require a bump, as that can only expand the solution set.
+
+### `inputs-digest`
+
+A SHA256 hash digest of all the [inputs to the solving function](ensure-mechanics.md#functional-flow). Those inputs can be shown directly with the hidden command `dep hash-inputs`, allowing this value to be generated directly:
+
+```
+dep hash-inputs | tr -d â\nâ | shasum -a256
+```
\ No newline at end of file
diff --git a/docs/Gopkg.toml.md b/docs/Gopkg.toml.md
index cb0253e810..84ff9d3f1a 100644
--- a/docs/Gopkg.toml.md
+++ b/docs/Gopkg.toml.md
@@ -1,9 +1,131 @@
-# Gopkg.toml
+---
+title: Gopkg.toml
+---
-## `required`
-`required` lists a set of packages (not projects) that must be included in
-Gopkg.lock. This list is merged with the set of packages imported by the current
-project.
+The `Gopkg.toml` file is initially generated by `dep init`, and is primarily hand-edited. It contains several types of rule declarations that govern dep's behavior:
+
+* _Dependency rules:_ [`constraints`](#constraint) and [`overrides`](#override) allow the user to specify which versions of dependencies are acceptable, and where they should be retrieved from.
+* _Package graph rules:_ [`required`](#required) and [`ignored`](#ignored) allow the user to manipulate the import graph by including or excluding import paths, respectively.
+* [`metadata`](#metadata) are a user-defined maps of key-value pairs that dep will ignore. They provide a data sidecar for tools building on top of dep.
+* [`prune`](#prune) settings determine what files and directories can be deemed unnecessary, and thus automatically removed from `vendor/`.
+
+Note that because TOML does not adhere to a tree structure, the `required` and `ignored` fields must be declared before any `[[constraint]]` or `[[override]]`.
+
+There is a full [example](#example) `Gopkg.toml` file at the bottom of this document. `dep init` will also, by default, generate a `Gopkg.toml` containing some example values, for guidance.
+
+## Dependency rules: `[[constraint]]` and `[[override]]`
+
+Most of the rule declarations in a `Gopkg.toml` will be either `[[constraint]]` or `[[override]]` stanzas. Both of these types of stanzas allow exactly the same types of values, but dep interprets them differently. Each allows the following values:
+
+* `name` - the import path corresponding to the [source root](glossary.md#source-root) of a dependency (generally: where the VCS root is)
+* At most one [version rule](#version-rules)
+* An optional [`source` rule](#source)
+* [`metadata`](#metadata) that is specific to the `name`'d project
+
+A full example (invalid, actually, as it has more than one version rule, for illustrative purposes) of either one of these stanzas looks like this:
+
+```toml
+[[constraint]]
+ # Required: the root import path of the project being constrained.
+ name = "github.com/user/project"
+ # Recommended: the version constraint to enforce for the project.
+ # Note that only one of "branch", "version" or "revision" can be specified.
+ version = "1.0.0"
+ branch = "master"
+ revision = "abc123"
+
+ # Optional: an alternate location (URL or import path) for the project's source.
+ source = "https://github.com/myfork/package.git"
+
+ # Optional: metadata about the constraint or override that could be used by other independent systems
+ [metadata]
+ key1 = "value that convey data to other systems"
+ system1-data = "value that is used by a system"
+ system2-data = "value that is used by another system"
+```
+
+### `[[constraint]]`
+
+A `[[constraint]]` stanza defines rules for how a [direct dependency](glossary.md#direct-dependency) must be incorporated into the dependency graph. Dep respects these declarations from the current project's `Gopkg.toml`, as well as the `Gopkg.toml` files found in any dependencies.
+
+**Use this for:** having a [direct dependency](FAQ.md#what-is-a-direct-or-transitive-dependency) use a specific branch, version range, revision, or alternate source (such as a fork).
+
+### `[[override]]`
+
+An `[[override]]` stanza differs from a `[[constraint]]` in that it applies to all dependencies, [direct](glossary.md#direct-dependency) and [transitive](glossary.md#transitive-dependency), and supersedes all other `[[constraint]]` declarations for that project. However, only overrides from the current project's `Gopkg.toml` are incorporated.
+
+**Use this for:** Overrides are primarily intended as a way of eliminating disagreements between multiple irreconcilable `[[constraint]]` declarations on a single dependency. However, they will also be your primary recourse if you need to [constrain a transitive dependency's version?](FAQ.md#how-do-i-constrain-a-transitive-dependencys-version)
+
+Overrides should be used cautiously and temporarily, when possible.
+
+### `source`
+
+A `source` rule can specify an alternate location from which the `name`'d project should be retrieved. It is primarily useful for temporarily specifying a fork for a repository.
+
+`source` rules are generally brittle and should only be used when there is no other recourse. Using them to try to circumvent network reachability issues is typically an antipattern.
+
+### Version rules
+
+Version rules can be used in either `[[constraint]]` or `[[override]]` stanzas. There are three types of version rules - `version`, `branch`, and `revision`. At most one of the three types can be specified.
+
+#### `version`
+
+`version` is a property of `constraint`s and `override`s. It is used to specify version constraint of a specific dependency. It can be used to target an arbitrary VCS tag, or a semantic version, or a range of semantic versions.
+
+Specifying semantic version ranges can be done using the following operators:
+
+* `=`: equal
+* `!=`: not equal
+* `>`: greater than
+* `<`: less than
+* `>=`: greater than or equal to
+* `<=`: less than or equal to
+* `-`: literal range. Eg: 1.2 - 1.4.5 is equivalent to >= 1.2, <= 1.4.5
+* `~`: minor range. Eg: ~1.2.3 is equivalent to >= 1.2.3, < 1.3.0
+* `^`: major range. Eg: ^1.2.3 is equivalent to >= 1.2.3, < 2.0.0
+* `[xX*]`: wildcard. Eg: 1.2.x is equivalent to >= 1.2.0, < 1.3.0
+
+You might, for example, include a rule that specifies `version = "=2.0.0"` to pin a dependency to version 2.0.0, or constrain to minor releases with: `version = "~2.1.0"`. Refer to the [semver library](https://github.com/Masterminds/semver) documentation for more info.
+
+**Note**: When you specify a version *without an operator*, `dep` automatically uses the `^` operator by default. `dep ensure` will interpret the given version as the min-boundary of a range, for example:
+
+* `1.2.3` becomes the range `>=1.2.3, <2.0.0`
+* `0.2.3` becomes the range `>=0.2.3, <0.3.0`
+* `0.0.3` becomes the range `>=0.0.3, <0.1.0`
+
+`~` and `=` operators can be used with the versions. When a version is specified without any operator, `dep` automatically adds a caret operator, `^`. The caret operator pins the left-most non-zero digit in the version. For example:
+```
+^1.2.3 means 1.2.3 <= X < 2.0.0
+^0.2.3 means 0.2.3 <= X < 0.3.0
+^0.0.3 means 0.0.3 <= X < 0.1.0
+```
+
+To pin a version of direct dependency in manifest, prefix the version with `=`. For example:
+```toml
+[[constraint]]
+ name = "github.com/pkg/errors"
+ version = "=0.8.0"
+```
+
+#### `branch`
+
+Using a `branch` constraint will cause dep to use the named branch (e.g., `branch = "master"`) for a particular dependency. The revision at the tip of the branch will be recorded into `Gopkg.lock`, and almost always remain the same until a change is requested, via `dep ensure -update`.
+
+In general, you should prefer semantic versions to branches, when a project has made them available.
+
+#### `revision`
+
+A `revision` is the underlying immutable identifier - like a git commit SHA1. While it is allowed to constrain to a `revision`, doing so is almost always an antipattern.
+
+Usually, folks are inclined to pin to a revision because they feel it will somehow improve their project's reproducibility. That is not a good reason. `Gopkg.lock` provides reproducibility. Only use `revision` if you have a good reason to believe that _no_ other version of that dependency _could_ work.
+
+## Package graph rules: `required` and `ignored`
+
+As part of normal operation, dep analyzes import statements in Go code. These import statements connect packages together, ultimately forming a graph. The `required` and `ignored` rules manipulate that graph, in ways that are roughly dual to each other: `required` adds import paths to the graph, and `ignored` removes them.
+
+### `required`
+
+`required` lists a set of packages (not projects) that must be included in Gopkg.lock. This list is merged with the set of packages imported by the current project.
```toml
required = ["github.com/user/thing/cmd/thing"]
```
@@ -12,7 +134,7 @@ required = ["github.com/user/thing/cmd/thing"]
* Are needed by your project
* Aren't `import`ed by your project, [directly or transitively](FAQ.md#what-is-a-direct-or-transitive-dependency)
-* You don't want put in your `GOPATH`, and/or you want to lock the version
+* You don't want to put them in your `GOPATH`, and/or you want to lock the version
Please note that this only pulls in the sources of these dependencies. It does not install or compile them. So, if you need the tool to be installed you should still run the following (manually or from a `Makefile`) after each `dep ensure`:
@@ -30,27 +152,28 @@ export PATH=$GOBIN:$PATH
You might also try [virtualgo](https://github.com/GetStream/vg), which installs dependencies in the `required` list automatically in a project specific `GOBIN`.
-## `ignored`
+
+### `ignored`
`ignored` lists a set of packages (not projects) that are ignored when dep statically analyzes source code. Ignored packages can be in this project, or in a dependency.
+
```toml
ignored = ["github.com/user/project/badpkg"]
```
-Use wildcard character (*) to define a package prefix to be ignored. Use this
-to ignore any package and their subpackages.
+Use `*` to define a package prefix to be ignored. This will cause any lexical wildcard match to be ignored, including the literal string prior to the `*`.
+
```toml
ignored = ["github.com/user/project/badpkg*"]
```
-**Use this for:** preventing a package and any of that package's unique
-dependencies from being installed.
+**Use this for:** preventing a package, and any of that package's unique dependencies, from being incorporated in `Gopkg.lock`.
## `metadata`
`metadata` can exist at the root as well as under `constraint` and `override` declarations.
`metadata` declarations are ignored by dep and are meant for usage by other independent systems.
-A `metadata` declaration at the root defines metadata about the project itself. While a `metadata` declaration under a `constraint` or an `override` defines metadata about that `constraint` or `override`.
+The root `metadata` declaration defines information about the project itself, while a `metadata` declaration under a `[[constraint]]` or an `[[override]]` defines metadata about that rule, for the `name`d project.
```toml
[metadata]
key1 = "value that convey data to other systems"
@@ -58,105 +181,63 @@ system1-data = "value that is used by a system"
system2-data = "value that is used by another system"
```
-## `constraint`
-A `constraint` provides rules for how a [direct dependency](FAQ.md#what-is-a-direct-or-transitive-dependency) may be incorporated into the
-dependency graph.
-They are respected by dep whether coming from the Gopkg.toml of the current project or a dependency.
-```toml
-[[constraint]]
- # Required: the root import path of the project being constrained.
- name = "github.com/user/project"
- # Recommended: the version constraint to enforce for the project.
- # Only one of "branch", "version" or "revision" can be specified.
- version = "1.0.0"
- branch = "master"
- revision = "abc123"
-
- # Optional: an alternate location (URL or import path) for the project's source.
- source = "https://github.com/myfork/package.git"
+## `prune`
- # Optional: metadata about the constraint that could be used by other independent systems
- [constraint.metadata]
- key1 = "value that convey data to other systems"
- system1-data = "value that is used by a system"
- system2-data = "value that is used by another system"
-```
+`prune` defines the global and per-project prune options for dependencies. The options determine which files are discarded when writing the `vendor/` tree.
-**Use this for:** having a [direct dependency](FAQ.md#what-is-a-direct-or-transitive-dependency)
-use a specific branch, version range, revision, or alternate source (such as a
-fork).
+The following are the current available options:
+* `unused-packages` indicates that files from directories that do not appear in the package import graph should be pruned.
+* `non-go` prunes files that are not used by Go.
+* `go-tests` prunes Go test files.
-## `override`
-An `override` has the same structure as a `constraint` declaration, but supersede all `constraint` declarations from all projects. Only `override` declarations from the current project's `Gopkg.toml` are applied.
+Out of an abundance of caution, dep non-optionally preserves files that may have legal significance.
+Pruning is disabled by default. It can be enabled by setting them to `true` at the root level.
```toml
-[[override]]
- # Required: the root import path of the project being constrained.
- name = "github.com/user/project"
- # Optional: specifying a version constraint override will cause all other constraints on this project to be ignored; only the overridden constraint needs to be satisfied. Again, only one of "branch", "version" or "revision" can be specified.
- version = "1.0.0"
- branch = "master"
- revision = "abc123"
- # Optional: specifying an alternate source location as an override will enforce that the alternate location is used for that project, regardless of what source location any dependent projects specify.
- source = "https://github.com/myfork/package.git"
-
- # Optional: metadata about the override that could be used by other independent systems
- [override.metadata]
- key1 = "value that convey data to other systems"
- system1-data = "value that is used by a system"
- system2-data = "value that is used by another system"
+[prune]
+ non-go = true
```
-**Use this for:** all the same things as a [`constraint`](#constraint), but for
-[transitive dependencies](FAQ.md#what-is-a-direct-or-transitive-dependency).
-See [How do I constrain a transitive dependency's version?](FAQ.md#how-do-i-constrain-a-transitive-dependencys-version)
-for more details on how overrides differ from `constraint`s. _Overrides should
-be used cautiously, sparingly, and temporarily._
+The same prune options can be defined per-project. An addtional `name` field is required and, as with should represent a project and not a package.
-## `version`
-`version` is a property of `constraint`s and `override`s. It is used to specify
-version constraint of a specific dependency.
-
-Internally, dep uses [Masterminds/semver](https://github.com/Masterminds/semver)
-to work with semver versioning.
-
-`~` and `=` operators can be used with the versions. When a version is specified
-without any operator, `dep` automatically adds a caret operator, `^`. The caret
-operator pins the left-most non-zero digit in the version. For example:
-```
-^1.2.3 means 1.2.3 <= X < 2.0.0
-^0.2.3 means 0.2.3 <= X < 0.3.0
-^0.0.3 means 0.0.3 <= X < 0.1.0
-```
-
-To pin a version of direct dependency in manifest, prefix the version with `=`.
-For example:
```toml
-[[constraint]]
- name = "github.com/pkg/errors"
- version = "=0.8.0"
-```
-
-[Why is dep ignoring a version constraint in the manifest?](FAQ.md#why-is-dep-ignoring-a-version-constraint-in-the-manifest)
+[prune]
+ non-go = true
+ [[prune.project]]
+ name = "github.com/project/name"
+ go-tests = true
+ non-go = false
+```
# Example
-Here's an example of a sample Gopkg.toml with most of the elements
+A sample `Gopkg.toml` with most elements present:
```toml
required = ["github.com/user/thing/cmd/thing"]
-ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+ignored = [
+ "github.com/user/project/pkgX",
+ "bitbucket.org/user/project/pkgA/pkgY"
+]
[metadata]
codename = "foo"
+[prune]
+ non-go = true
+
+ [[prune.project]]
+ name = "github.com/project/name"
+ go-tests = true
+ non-go = false
+
[[constraint]]
name = "github.com/user/project"
version = "1.0.0"
- [constraint.metadata]
+ [metadata]
property1 = "value1"
property2 = 10
@@ -169,6 +250,6 @@ codename = "foo"
name = "github.com/x/y"
version = "2.4.0"
- [override.metadata]
+ [metadata]
propertyX = "valueX"
```
diff --git a/docs/img/DigbyFlat.png b/docs/assets/DigbyFlat.png
similarity index 100%
rename from docs/img/DigbyFlat.png
rename to docs/assets/DigbyFlat.png
diff --git a/docs/img/DigbyFlat.svg b/docs/assets/DigbyFlat.svg
similarity index 100%
rename from docs/img/DigbyFlat.svg
rename to docs/assets/DigbyFlat.svg
diff --git a/docs/img/DigbyFlatScene2.png b/docs/assets/DigbyFlatScene2.png
similarity index 100%
rename from docs/img/DigbyFlatScene2.png
rename to docs/assets/DigbyFlatScene2.png
diff --git a/docs/img/DigbyFlatScene2.svg b/docs/assets/DigbyFlatScene2.svg
similarity index 100%
rename from docs/img/DigbyFlatScene2.svg
rename to docs/assets/DigbyFlatScene2.svg
diff --git a/docs/img/DigbyScene2Flat.png b/docs/assets/DigbyScene2Flat.png
similarity index 100%
rename from docs/img/DigbyScene2Flat.png
rename to docs/assets/DigbyScene2Flat.png
diff --git a/docs/img/DigbyScene2Flat.svg b/docs/assets/DigbyScene2Flat.svg
similarity index 100%
rename from docs/img/DigbyScene2Flat.svg
rename to docs/assets/DigbyScene2Flat.svg
diff --git a/docs/img/DigbyScene2Shadows.png b/docs/assets/DigbyScene2Shadows.png
similarity index 100%
rename from docs/img/DigbyScene2Shadows.png
rename to docs/assets/DigbyScene2Shadows.png
diff --git a/docs/img/DigbyScene2Shadows.svg b/docs/assets/DigbyScene2Shadows.svg
similarity index 100%
rename from docs/img/DigbyScene2Shadows.svg
rename to docs/assets/DigbyScene2Shadows.svg
diff --git a/docs/img/DigbyShadows.png b/docs/assets/DigbyShadows.png
similarity index 100%
rename from docs/img/DigbyShadows.png
rename to docs/assets/DigbyShadows.png
diff --git a/docs/img/DigbyShadows.svg b/docs/assets/DigbyShadows.svg
similarity index 100%
rename from docs/img/DigbyShadows.svg
rename to docs/assets/DigbyShadows.svg
diff --git a/docs/img/DigbyShadowsScene2.png b/docs/assets/DigbyShadowsScene2.png
similarity index 100%
rename from docs/img/DigbyShadowsScene2.png
rename to docs/assets/DigbyShadowsScene2.png
diff --git a/docs/img/DigbyShadowsScene2.svg b/docs/assets/DigbyShadowsScene2.svg
similarity index 100%
rename from docs/img/DigbyShadowsScene2.svg
rename to docs/assets/DigbyShadowsScene2.svg
diff --git a/docs/img/StatusGraph.png b/docs/assets/StatusGraph.png
similarity index 100%
rename from docs/img/StatusGraph.png
rename to docs/assets/StatusGraph.png
diff --git a/docs/assets/annotated-func-arrows.png b/docs/assets/annotated-func-arrows.png
new file mode 100644
index 0000000000..cc9190f2a0
Binary files /dev/null and b/docs/assets/annotated-func-arrows.png differ
diff --git a/docs/assets/base-arrows.png b/docs/assets/base-arrows.png
new file mode 100644
index 0000000000..d60e598c86
Binary files /dev/null and b/docs/assets/base-arrows.png differ
diff --git a/docs/assets/four-states.png b/docs/assets/four-states.png
new file mode 100644
index 0000000000..a1aa5a566e
Binary files /dev/null and b/docs/assets/four-states.png differ
diff --git a/docs/assets/func-toggles.png b/docs/assets/func-toggles.png
new file mode 100644
index 0000000000..8e081b30fc
Binary files /dev/null and b/docs/assets/func-toggles.png differ
diff --git a/docs/assets/in-sync.png b/docs/assets/in-sync.png
new file mode 100644
index 0000000000..094148a5c0
Binary files /dev/null and b/docs/assets/in-sync.png differ
diff --git a/docs/assets/lock-back.png b/docs/assets/lock-back.png
new file mode 100644
index 0000000000..ad769756d3
Binary files /dev/null and b/docs/assets/lock-back.png differ
diff --git a/docs/assets/required-arrows.png b/docs/assets/required-arrows.png
new file mode 100644
index 0000000000..791076f991
Binary files /dev/null and b/docs/assets/required-arrows.png differ
diff --git a/docs/daily-dep.md b/docs/daily-dep.md
new file mode 100644
index 0000000000..faf22617cd
--- /dev/null
+++ b/docs/daily-dep.md
@@ -0,0 +1,127 @@
+---
+title: Daily Dep
+---
+
+This guide is an introduction to the day-to-day use of dep. If you haven't set up a Go project at all yet, though, run through [Creating a New Project](new-project.md) first.
+
+Dep is a tool you'll use regularly in the course of normal Go development. Regularly, but briefly - dependency management is never the place we want to be spending our time or energy! In keeping with Go's philosophy of minimizing knobs, dep has a sparse interface; there are only two commands you're likely to run regularly:
+
+* `dep ensure` is the primary workhorse command, and is the only command that changes disk state.
+* `dep status` reports on the state of your project, and the visible universe of Go software projects.
+
+This guide primarily centers on `dep ensure`, as that's the command you run to effect changes on your project. The [Models and Mechanisms](ensure-mechanics.md) reference document details how the things work under the hood, and is worth reading if you're encountering a confusing `dep ensure` behavior (or just curious!).
+
+## Basics
+
+Let's start with words!
+
+Dep's main command is `dep ensure`. The verb is "ensure" to imply that the action is not just some single, discrete action (like adding a dependency), but enforcing some kind of broader guarantee. If we wanted to express the `dep ensure` guarantee as a sentence, it would go something like this:
+
+> Hey dep, please make sure that [my project](glossary.md#current-project) is [in sync](glossary.md#sync): that [`Gopkg.lock`](Gopkg.lock.md) satisfies all the imports in my project, and all the rules in[ `Gopkg.toml`](Gopkg.toml.md), and that `vendor/` contains exactly what `Gopkg.lock` says it should."
+
+As the narrative indicates, `dep ensure` is a holistic operation; rather than offering a series of commands that you run in succession to incrementally achieve a some final state, each run of `dep ensure` delivers a safe, complete, and reproducible set of dependencies with respect to the current state of your project. You might imagine repeated runs of `dep ensure` as being a bit like a frog, hopping from one lilypad to the next.
+
+ `dep ensure` also guarantees that, barring `kill -9`, power failure, or a critical bug, its disk writes are all-or-nothing: on any given run, either nothing changes (and you get an error), or you're on the nearest safe lilypad. This makes `dep ensure` fine to run at most any time.
+
+
+## Using `dep ensure`
+
+There are four times when you'll run `dep ensure`:
+
+- To add a new dependency
+- To update an existing dependency
+- To catch up after importing a package for the first time in your project, or removing the last import of a package in your project
+- To catch up to a change to a rule in `Gopkg.toml`
+
+There's also an implicit fifth time: when you're not sure if one of the above has happened. Running `dep ensure` without any additional flags will get your project back in sync - a known good state. As such, it's generally safe to defensively run `dep ensure` as a way of simply making sure that your project is in that state.
+
+Let's explore each of moments. To play along, you'll need to `cd` into a project that's already been set up by `dep init`. If you haven't done that yet, check out the guides for [new projects](new-project.md) and [migrations](migrating.md).
+
+### Adding a new dependency
+
+Let's say that we want to introduce a new dependency on `github.com/pkg/errors`. This can be accomplished with one command:
+
+```bash
+$ dep ensure -add github.com/pkg/errors
+```
+
+> Much like git, `dep status` and `dep ensure` can also be run from any subdirectory of your project root, which is determined by the presence of a `Gopkg.toml` file.
+
+This should succeed, resulting in an updated `Gopkg.lock` and `vendor/` directory, as well as injecting a best-guess version constraint for `github.com/pkg/errors` into our `Gopkg.toml`. But, it will also report a warning:
+
+```bash
+"github.com/pkg/errors" is not imported by your project, and has been temporarily added to Gopkg.lock and vendor/.
+If you run "dep ensure" again before actually importing it, it will disappear from Gopkg.lock and vendor/.
+```
+
+As the warning suggests, you should introduce an `import "github.com/pkg/errors"` in your code, the sooner the better. If you don't, a later `dep ensure` run will interpret your newly-added dependency as unused, and automatically remove it from `Gopkg.lock` and `vendor/`. This also means that if you want to add multiple dependencies at once, you'll need to do it in a single command, rather than one after the other:
+
+```bash
+$ dep ensure -add github.com/pkg/errors github.com/foo/bar
+```
+
+Dep works this way because it considers the import statements it discovers through static analysis of your project's code to be the canonical indicator of what dependencies must be present. That choice does add some pain at this moment, but it reduces friction and automates cleanup elsewhere. Tradeoffs!
+
+Of course, given this model, you don't _have to_ use `dep ensure -add` to add new dependencies - you can also just add an appropriate `import` statement in your code, then run `dep ensure`. However, this approach doesn't always play nicely with [`goimports`](https://godoc.org/golang.org/x/tools/cmd/goimports), and also won't append a `[[constraint]]` into `Gopkg.toml`. Still, it can be useful at times, often for rapid iteration and off-the-cuff experimenting.
+
+The [ensure mechanics section on `-add`](ensure-mechanics.md#add) has a more thorough exploration, including some ways that `dep ensure -add`'s behavior subtly varies depending on the state of your project.
+
+### Updating dependencies
+
+Ideally, updating a dependency project to a newer version is a single command:
+
+```bash
+$ dep ensure -update github.com/foo/bar
+```
+
+This also works without arguments to try to update all dependencies, though it's generally not recommended:
+
+```bash
+$ dep ensure -update
+```
+
+`dep ensure -update` searches for versions that work with the `branch`, `version`, or `revision` constraint defined in `Gopkg.toml`. These constraint types have different semantics, some of which allow `dep ensure -update` to effectively find a "newer" version, while others will necessitate hand-updating the `Gopkg.toml`. The [ensure mechanics](ensure-mechanics.md#update-and-constraint-types) guide explains this in greater detail, but if you want to know what effect a `dep ensure -update` is likely to have for a particular project, the `LATEST` field in `dep status` output will tell you.
+
+### Adding and removing `import` statements
+
+As noted in [the section on adding dependencies](#adding-a-new-dependency), dep relies on the import statements in your code to figure out which dependencies your project actually needs. Thus, when you add or remove import statements, dep might need to care about it.
+
+It's only "might," though, because most of the time, adding or removing imports doesn't matter to dep. Only if one of the following has occurred will a `dep ensure` be necessary to bring the project back in sync:
+
+1. You've added the first `import` of a package, but already `import` other packages from that project.
+2. You've removed the last `import` of a package, but still `import` other packages from that project.
+3. You've added the first `import` of any package within a particular project. (Note: this is the [alternate adding approach](#adding-a-new-dependency))
+4. You've removed the last `import` of a package from within a particular project.
+
+In short, dep is concerned with the set of unique import paths across your entire project, and only cares when you make a change that adds or removes an import path from that set.
+
+Of course, especially on large projects, it can be tough to keep track of whether adding or removing (especially removing) a particular import statement actually does change the overall set. Fortunately, you needn't keep close track, as you can run `dep ensure` and it will automatically pick up any additions or removals, and bring your project back in sync.
+
+Only if it is the first/last import of a project being added/removed - cases 3 and 4 - are additional steps needed: `Gopkg.toml` should be updated to add/remove the corresponding project's `[[constraint]]`.
+
+### Rule changes in `Gopkg.toml`
+
+`Gopkg.toml` files contain five basic types of rules. The [`Gopkg.toml` docs](#gopkg.toml.md) explain them in detail, but here's an overview:
+
+* `required`, which are mostly equivalent to `import` statements in `.go` files, except that it's OK to list a `main` package here
+* `ignored`, which causes dep to black hole an import path (and any imports it uniquely introduces)
+* `[[constraint]]`, stanzas that express version constraints and some other rules on a per-project dependency basis
+* `[[override]]`, stanzas identical to `[[constraint]]` except that only the current project can express them and they supersede `[[constraint]]` in both the current project and dependencies
+* `[prune]`, global and per-project rules that govern what kinds of files should be removed from `vendor/`
+
+Changes to any one of these rules will likely necessitate changes in `Gopkg.lock` and `vendor/`; a single successful `dep ensure` run will incorporate all such changes at once, bringing your project back in sync.
+
+## Key Takeaways
+
+Here are the key takeaways from this guide:
+
+- `dep ensure -update` is the preferred way to update dependencies, though it's less effective for projects that don't publish semver releases.
+- `dep ensure -add` is usually the easiest way to introduce new dependencies, though it's not the only one. To add more than one at a time, you'll need to use multiple arguments, not multiple invocations - and make sure to add real `import` statements for the projects after the command completes!
+- If you ever make a manual change in `Gopkg.toml`, it's best to run `dep ensure` to make sure everything's in sync.
+- `dep ensure` is almost never the wrong thing to run; if you're not sure what's going on, running it will bring you back to safety ("the nearest lilypad"), or fail informatively.
+
+Also, a couple other miscellaneous tidbits:
+
+- As in the Go toolchain generally, avoid symlinks within your own project. dep tolerates a bit of this, but like the Go toolchain itself, is generally not terribly supportive of symlinks.
+- Never directly edit anything in `vendor/`; dep will unconditionally overwrite such changes. If you need to modify a dependency, fork it and do it properly.
+
diff --git a/docs/deduction.md b/docs/deduction.md
new file mode 100644
index 0000000000..3675c194a2
--- /dev/null
+++ b/docs/deduction.md
@@ -0,0 +1,26 @@
+---
+title: Import Path Deduction
+---
+
+Deduction is dep's algorithm for looking at an import path and determining the portion of the path that corresponds to the source root. The algorithm has a static component, by which a small set of known, popular hosts like GitHub and Bitbucket have their roots deduced:
+
+- `github.com/golang/dep/gps` -> `github.com/golang/dep`
+- `bitbucket.org/foo/bar/baz` -> `bitbucket.org/foo/bar`
+
+The set of hosts supported by static deduction are the same as [those supported by `go get`](https://golang.org/cmd/go/#hdr-Remote_import_paths):
+
+* GitHub
+* Bitbucket
+* Launchpad
+* IBM DevOps Services
+
+In addition, dep also handles [gopkg.in](http://gopkg.in) directly with static deduction because, owing to internal implementation details, it is the easiest way of also attaching filters to adapt the versioning semantics of gopkg.in import paths into dep's versioning model. This turns out fine, as gopkg.in's rules mapping rules are themselves entirely static.
+
+If the static logic cannot identify the root for a given import path, the algorithm continues to a dynamic component: dep makes an HTTP(S) request to the import path, and a server is expected to send back the root import path embedded within the HTML response. Again, this directly emulates the behavior of `go get`.
+
+Import path deduction is applied to all of the following:
+
+* `import` statements found in all `.go` files
+* Import paths in the [`required`](gopkg.toml.md#required) list in `Gopkg.toml`
+* `name` properties in both [`[[constraint]]`](Gopkg.toml.md#constraint) and [`[[override]]`](Gopkg.toml.md#override) stanzas in `Gopkg.toml`. This is solely for validation purposes, enforcing that these names correspond only to project/source roots.
+
diff --git a/docs/ensure-mechanics.md b/docs/ensure-mechanics.md
new file mode 100644
index 0000000000..e7173425a8
--- /dev/null
+++ b/docs/ensure-mechanics.md
@@ -0,0 +1,203 @@
+---
+title: Models and Mechanisms
+---
+
+While dep has many discrete components and moving parts, all of these parts revolve around a central model. This document explains that model, then explores the dep's primary mechanisms in the context of that model.
+
+## States and flows
+
+Dep is centered around the idea of the "four state system" - a model for classifying and organizing the on-disk state with which a package manager interacts. This was first articulated as a coherent, general model in [this (long) article](https://medium.com/@sdboyer/so-you-want-to-write-a-package-manager-4ae9c17d9527), though many of the principles in the four state model were derived from existing package managers.
+
+Briefly, the four states are:
+
+1. The [current project's](glossary.md#current-project) source code.
+2. A [manifest](glossary.md#manifest) - a file describing the current project's dependency requirements. In dep, this is the [`Gopkg.toml`](Gopkg.toml.md) file.
+3. A [lock](glossary.md#lock) - a file containing a transitively-complete, reproducible description of the dependency graph. In dep, this is the [`Gopkg.lock`](Gopkg.lock.md) file.
+4. The source code of the dependences themselves. In dep's current design, this is the `vendor/` directory.
+
+We can visually represent these four states as follows:
+
+
+
+### Functional flow
+
+It's useful to think of dep as a system that imposes a unidirectional, functional flow on the relationships between these states. These functions treat the above states as inputs and outputs, moving them from left to right. Specifically, there are two functions:
+
+* A _solving function_, that takes as its input the set of imports in the current project and the rules in `Gopkg.toml`, and returns as its output a transitively-complete, immutable dependency graph - the information in a `Gopkg.lock`.
+* A _vendoring function_, that takes the information in a `Gopkg.lock` as its input and ensures an on-disk arrangement of source files such that the compiler will use the versions designated in the lock.
+
+We can represent these two functions visually:
+
+
+
+This is `dep ensure` - the typical flow, used when a `Gopkg.toml` already exists. When a project does not yet have a `Gopkg.toml`, `dep init` can generate one. The essential flow remains the same, but with changed inputs: instead of reading from an existing `Gopkg.toml` file, `dep init` constructs one out of data inferred from the user's GOPATH, and/or [a metadata file from another tool](). (In other words, `dep init` automatically migrates a project from other approaches to organizing dependencies.)
+
+This diagram directly corresponds directly to code, as well. The solving function is actually split into a constructor and a method - we first create a [`Solver`](https://godoc.org/github.com/golang/dep/gps#Solver) type, then call its `Solve()` method. The inputs to the constructor are wrapped up in a [`SolveParameters`](https://godoc.org/github.com/golang/dep/gps#SolveParameters), which should look familiar:
+
+```go
+type SolveParameters struct {
+ RootPackageTree pkgtree.PackageTree // Parsed project src; contains lists of imports
+ Manifest gps.RootManifest // Gopkg.toml
+ ...
+}
+```
+
+The vendoring function is [`gps.WriteDepTree()`](https://godoc.org/github.com/golang/dep/gps#WriteDepTree). While it takes a handful of arguments, the relevant one is a [`gps.Lock`](https://godoc.org/github.com/golang/dep/gps#Lock) - an interface representing an abstracted form of the data held in a `Gopkg.lock`.
+
+The four state system, and these functional flows through it, are the foundation on which all of dep's behavior is built. If you want to understand dep's mechanics, keep this model at the forefront of your mind.
+
+### Staying in sync
+
+One of dep's design goals is that both of its "functions" minimize both the work they do, and the change they induce in their respective results. (Note: "minimize" is not currently formally defined with respect to a cost function.) Consequently, both functions peek ahead at the pre-existing result to understand what work actually needs to be done:
+
+* The solving function checks the existing `Gopkg.lock` to determine if all of its inputs (project import statements + `Gopkg.toml` rules) are satisfied. If they are, the solving function can be bypassed entirely. If not, the solving function proceeds, but attempts to change as few of the selections in `Gopkg.lock` as possible.
+ * WIP: The current implementation's check relies on a coarse heuristic check that can be wrong in some cases. There is a [plan to fix this](https://github.com/golang/dep/issues/1496).
+* The vendoring function hashes each discrete project already in `vendor/` to see if the code present on disk is what `Gopkg.lock` indicates it should be. Only projects that deviate from expectations are written out.
+ * WIP: the hashing check is generally referred to as "vendor verification," and [is not yet complete](https://github.com/golang/dep/issues/121). Without this verification, dep is blind to whether code in `vendor/` is correct or not; as such, dep must defensively re-write all projects to ensure the state of `vendor/` is correct.
+
+Of course, it's possible that, in peeking ahead, either function might discover that the pre-existing result is already correct - so no work need be done at all. Either way, when each function completes, we can be sure that the output, changed or not, is correct with respect to the inputs. In other words, the inputs and outputs are "in sync." Indeed, being in sync is the "known good state" of dep; `dep ensure` (without flags) guarantees that if it exits 0, all four states in the project are in sync.
+
+## `dep ensure` flags and behavior variations
+
+Each of `dep ensure`'s various flags affects the behavior of the solving and vendoring functions - or even whether they run at all. Some flags can also marginally push the project out of sync, temporarily. Thinking about these effects in the context of dep's basic model is the fastest path to understanding.
+
+### `-no-vendor` and `-vendor-only`
+
+These two flags are mutually exclusive, and determine which of `dep ensure`'s two functions are actually performed. Passing `-no-vendor` will cause only the solving function to be run, resulting in the creation of a new `Gopkg.lock`; `-vendor-only` will skip solving and run only the vendoring function, causing `vendor/` to be repopulated from the pre-existing `Gopkg.lock`.
+
+
+
+Passing `-no-vendor` has the additional effect of causing the solving function to run unconditionally, bypassing the pre-check ordinarily made against `Gopkg.lock` to see if it already satisfies all inputs.
+
+### `-add`
+
+The general purpose of `dep ensure -add` is to facilitate the introduction of new dependencies into the depgraph. Whereas `-update` is restricted to [source roots](glossary.md#source-root), (e.g. `github.com/foo/bar`), `-add` can take any package import path as an argument (e.g. `github.com/foo/bar` OR `github.com/foo/bar/baz`).
+
+Conceptually, there are two possible things that `-add` might be introducing. Any `dep ensure -add` run will do at least one of these:
+
+1. Running the solving function in order to generate a new `Gopkg.lock` with the new dependenc(ies)
+2. Appending a version constraint into `Gopkg.toml`
+
+This implies two preconditions for `dep ensure -add`, at least one of which must be met:
+
+1. The named import path is not currently in the project's import statements, or in `Gopkg.toml`'s `required` list
+2. There is no `[[constraint]]` stanza in `Gopkg.toml` for the project root corresponding to the named import path
+
+
+It is also possible to explicitly specify a version constraint:
+
+```bash
+$ dep ensure -add github.com/foo/bar@v1.0.0
+```
+
+When no version constraint is included in the argument, the solving function will select the latest version that works (generally, the newest semver release, or the default branch if there are no semver releases). If solving succeeds, then either the argument-specified version, or if none then the version selected by the solver, will be appended into `Gopkg.toml`.
+
+The behavioral variations that arise from the assorted differences in input and current project state are best expressed as a matrix:
+
+| Argument to `dep ensure -add` | Has `[[constraint]]` stanza in `Gopkg.toml` | In imports or `required` | Result |
+| ----------------------------- | ---------------------------------------- | ------------------------ | ---------------------------------------- |
+| `github.com/foo/bar` | N | N | Added temporarily to `Gopkg.lock` & `vendor/`; inferred version constraint appended to `Gopkg.toml` |
+| `github.com/foo/bar@v1.0.0` | N | N | Added temporarily to `Gopkg.lock` & `vendor/`; specified version constraint appended to `Gopkg.toml` |
+| `github.com/foo/bar` | Y | N | Added temporarily to `Gopkg.lock` & `vendor/` |
+| `github.com/foo/bar@v1.0.0` | Y | - | **Immediate error**: constraint already present in `Gopkg.toml` |
+| `github.com/foo/bar` | N | Y | Infer version constraint from `Gopkg.lock` and add to `Gopkg.toml` |
+| `github.com/foo/bar` | Y | Y | **Immediate error:** nothing to do |
+
+For any of the paths where `dep ensure -add` needs to run the solving function in order to generate an updated `Gopkg.lock`, the relevant information from CLI arguments is applied to the in-memory representation of `Gopkg.toml`:
+
+
+
+Import path arguments that need to be added are injected via the `required` list, and if an explicit version requirement was specified, the equivalent of a `[[constraint]]` is created.
+
+Though these rules may ultimately be persisted if solving succeeds, they are ephemeral at least until solving succeeds. And, from the solver's perspective, the ephemeral rules are indistinguishable from rules sourced directly from disk. Thus, to the solver, `dep ensure -add foo@v1.0.0` is identical to modifying `Gopkg.toml` by adding `"foo"` to the `required` list, plus a `[[constraint]]` stanza with `version = "v1.0.0"`, then running `dep ensure`.
+
+However, because these modifications are ephemeral, a successful `dep ensure -add` may actually push the project out of sync. Constraint modifications generally do not, but if the `required` list is modified, then the project will desync. The user is warned accordingly:
+
+```bash
+$ dep ensure -add github.com/foo/bar
+"github.com/foo/bar" is not imported by your project, and has been temporarily added to Gopkg.lock and vendor/.
+If you run "dep ensure" again before actually importing it, it will disappear from Gopkg.lock and vendor/.
+```
+
+### `-update`
+
+The behavior of `dep ensure -update` is intimately linked to the behavior of the solver itself. Full detail on that is a topic for the [solver reference material](the-solver.md), but for the purposes of understanding `-update`, we can simplify a bit.
+
+First, to solidify an implication in the discussion of [functional optimizations](#staying-in-sync), the solving function actually takes into account the pre-existing `Gopkg.lock` when it runs:
+
+
+
+Injecting `Gopkg.lock` into the solver is a necessity. If we want the solver to preserve previously-selected versions by default, then the solver has to learn about the existing `Gopkg.lock` from somewhere. Otherwise, it wouldn't know what to preserve!
+
+As such, the lock is another one of the properties encoded onto the [previously-discussed]() `SolveParameters` struct. That, plus two other properties, are the salient ones for `-update`:
+
+```go
+type SolveParameters struct {
+ ...
+ Lock gps.Lock // Gopkg.lock
+ ToChange []gps.ProjectRoot // args to -update
+ ChangeAll bool // true if no -update args passed
+ ...
+}
+```
+
+Ordinarily, when the solver encounters a project name for which there's an entry in `Gopkg.lock`, it pulls that version out and puts it at the head of the queue of possible versions for that project. When a specific dependency is passed to `dep ensure -update`, however, it is added to the `ToChange` list; when the solver encounters a project listed in `ToChange`, it simply skips pulling the version from the lock.
+
+"Skips pulling the version from the lock" would imply that `dep ensure -update github.com/foo/bar` is equivalent to removing the `[[project]]` stanza for `github.com/foo/bar` from your `Gopkg.lock`, then running `dep ensure`. And indeed it is - however, that approach is not recommended, and subtle changes may be introduced in the future that complicate the equivalency.
+
+If `-update` is passed with no arguments, then `ChangeAll` is set to `true`, resulting in the solver ignoring `Gopkg.lock` for all newly-encountered project names. This is equivalent to explicitly passing all of your dependences as arguments to `dep ensure -update`, as well as `rm Gopkg.lock && dep ensure`. Again, however, neither of these approaches are recommended, and future changes may introduce subtle differences.
+
+When a version hint from `Gopkg.lock` is not placed at the head of the version queue, it means that dep will explore the set of possible versions for a particular dependency. This exploration is performed according to a [fixed sort order](https://godoc.org/github.com/golang/dep/gps#SortForUpgrade), where newer versions are tried first, resulting in an update.
+
+For example, say there is a project, `github.com/foo/bar`, with the following versions:
+
+```bash
+v1.2.0, v1.1.1, v1.1.0, v1.0.0, master
+```
+
+If we depend on that project with `^1.1.0`, and have `v1.1.0` in our `Gopkg.lock` , then it means there are three versions that match our constraint, and two of them are newer than the one currently selected. (There's also an older version, `v1.0.0`, and a `master` branch, but these aren't allowed by a `^1.1.0` constraint.) An ordinary `dep ensure` run will duplicate and push `v1.1.0` ahead of all the others in the queue:
+
+```bash
+[v1.1.0, v1.2.0, v1.1.1, v1.1.0, v1.0.0, master]
+```
+
+And `v1.1.0` will be selected again, unless some other condition is presented that forces the solver to discard it. When running `dep ensure -update github.com/foo/bar`, however, the locked version is not prepended:
+
+```bash
+[v1.2.0, v1.1.1, v1.1.0, v1.0.0, master]
+```
+
+So, barring some other conflict, `v1.2.0` is selected, resulting in the desired update.
+
+#### `-update` and constraint types
+
+Continuing with our example, it's important to note that updates with `-update` are achieved incidentally - the solver never explicitly targets a newer version. It just skips adding a hint from the lock, then selects the first version in the queue that satisfies constraints. Consequently, `-update` is only effective with certain types of constraints.
+
+It does work with branch constraints, which we can observe by including the underlying revision. If the user has constrained on `branch = "master"`, and `Gopkg.lock` points at a topologically older revision (say, `aabbccd`) than the tip of the canonical source's `master` branch (say, `bbccdde`), then `dep ensure` will end up contructing a queue that looks like this:
+
+```bash
+[master@aabbccd, v1.1.0, v1.2.0, v1.1.1, v1.1.0, v1.0.0, master@bbccdde]
+```
+
+With `-update`, the hint at the head will be omitted; `branch = "master"` will cause the solver to reject all of the semantic versions, and finally settle on `master@bbccdde`.
+
+All versions in the version queue keep track of an underlying revision, which means the same is true if, for example, some upstream project force-pushes a git tag:
+
+```bash
+[v1.1.0@aabbccd, v1.1.0, v1.2.0, v1.1.1, v1.1.0@bbccdde, v1.0.0, master]
+```
+
+Thus, even if an upstream tag is force-pushed in one of your project's dependences, dep will retain the original revision until you explicitly allow it to change via a `dep ensure -update`.
+
+The key takeaway here is that `-update`'s behavior is governed by the type of constraints specified:
+
+| `Gopkg.toml` version constraint type | Constraint example | `dep ensure -update` behavior |
+| ------------------------------------ | ------------------ | ---------------------------------------- |
+| `version` (semver range) | `"^1.0.0"` | Tries to get the latest version allowed by the range |
+| `branch` | `"master"` | Tries to move to the current tip of the named branch |
+| `version` (non-range semver) | `"=1.0.0"` | Change can only occur if the upstream release was moved (e.g. `git push --force `) |
+| `version` (non-semver) | `"foo"` | Change can only occur if the upstream release was moved |
+| `revision` | `aabbccd...` | No change is possible |
+| (none) | (none) | The first version that works, according to [the sort order](https://godoc.org/github.com/golang/dep/gps#SortForUpgrade) (not recommended) |
+
+
diff --git a/docs/failure-modes.md b/docs/failure-modes.md
new file mode 100644
index 0000000000..f06acca0a7
--- /dev/null
+++ b/docs/failure-modes.md
@@ -0,0 +1,204 @@
+---
+title: Failure Modes
+---
+
+Like all complex, network-oriented software, dep has known failure modes. These generally fall into two categories: I/O and logical. I/O errors arise from unexpected responses to system calls that interact with the network or local disk. Logical failures occur when dep encounters issues within the package management problem domain.
+
+## I/O errors
+
+dep reads from the network, and reads and writes to disk, and is thus subject to all the typical errors that are possible with such activities: full disks, failed disks, lack of permissions, network partitions, firewalls, etc. However, there are three classes of I/O errors that are worth addressing specifically:
+
+* Network failures
+* Bad local cache state
+* `vendor` write errors
+
+In general, these problems aren't things we can reasonably program around in dep. Therefore, they can't be considered bugs for us to fix. Fortunately, most of these problems have straightforward remediations.
+
+### Network failures
+
+> **Remediation tl;dr:** most network issues are ephemeral, even if they may last for a few minutes, and can be addressed simply by re-running the same command. Always try this before attempting more invasive solutions.
+
+dep talks to the network at several different points. These vary somewhat depending on source (VCS) type and local disk state, but this list of operations is generally instructive:
+
+* When dep cannot [statically deduce](deduction.md#static-deduction) the source root of an import path, it issues a `go-get` HTTP metadata request to a URL constructed from the import path.
+* Retrieving the list of available versions for a source (think `git ls-remote`) necessarily requires network activity.
+* Initially downloading (in git terms, `git clone`) an upstream source into the local cache also necessarily requires network activity.
+* Updating a local cache (in git terms, `git fetch`) with the latest changes from an upstream source.
+* Writing out code trees under `vendor` is typically done from the local cache, but under some circumstances a tarball may be fetched on-the-fly from a remote source.
+
+
+Network failures that you actually may observe are biased towards the earlier items in the list, simply because those operations tend to happen first: you generally don't see update failures as much as version-listing failures, because they usually have the same underlying cause (source host is down, network partition, etc.), but the version-list request happens first on most paths.
+
+#### Persistent network failures
+
+Although most network failures are ephemeral, there are three well-defined cases where they're more permanent:
+
+* **The network on which the source resides is permanently unreachable from the user's location:** in practice, this generally means one of two things: you've forgotten to log into your company VPN, or you're behind [the GFW](https://en.wikipedia.org/wiki/Great_Firewall). In the latter case, setting the *de facto* standard HTTP proxy environment variables that [`http.ProxyFromEnvironment()`](https://golang.org/pkg/net/http/#ProxyFromEnvironment) respects will cause dep's `go-get` HTTP metadata requests, as well as git, bzr, and hg subcommands, to utilize the proxy.
+
+ * Remediation is also exactly the same when the custom `go-get` HTTP metadata service for a source is similarly unreachable. The failure messages, however, will look like [deduction failures](#deduction-failures).
+
+* **The source has been permanently deleted or moved:** these are [left-pad](https://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/) events, though note that [GitHub automatically redirects traffic after renames](https://help.github.com/articles/renaming-a-repository/), mitigating the rename problem. But, if an upstream source is removed, dep will be unable to proceed until a new upstream source is established for the import path. To that end:
+
+ * If you still have a copy of the source repository in your local cache or GOPATH, consider uploading it to a new location (e.g. forking it) and using a [`source`](Gopkg.toml.md#source) rule to point to the fork.
+ * If you don't have a whole repository locally, then extracting the code currently in your `vendor` directory into a new repository and pushing it to a . (Note: this may have licensing implications.)
+ * If you have no instances of the code locally, then there's little that can be done - that code is simply gone, and you'll need to refactor your project.
+
+ Future versions of dep will be able to better handle an interim period before a new upstream/forked source is created, or simply living in a world where a given code tree exists solely in your project's `vendor` directory.
+
+* **The user lacks the necessary credentials to interact with a source:** see the [FAQ on configuring credentials](FAQ.md#how-do-i-get-dep-to-authenticate-to-a-git-repo).
+
+The exact error text will vary depending on which of the operations is running, what type of source dep is trying to communicate with, and what actual network problem has occurred. The error text may not always make it immediately clear which combination of these you're dealing with, but for persistent problems, it should at least reduce the search space.
+
+#### Hangs
+
+> **Remediation tl;dr:** hangs are almost always network congestion, or sheer amount of network data to fetch. Wait, or cancel and try again with `-v` to try to get more context.
+
+Almost any case where a dep command, run with `-v`, hangs for more than ten minutes will ultimately be a bug. However, the most common explanation for an apparent dep hangs is actually normal behavior: because dep's operation requires that it keep its own copies of upstream sources hidden away in the [local cache](glossary.md#local-cache), the first run of dep against a project, especially large projects, can take a long time while it populates the cache.
+
+The only known case where dep may hang indefinitely is if one of the underlying VCS binaries it calls is prompting for some kind of input. Typically this means credentials (though not always - make sure to accept remote hosts' SSH keys into your known hosts!), and dep's normal assumption is that necessary credentials have been provided via environmental mechanisms - [configuration files or daemons](FAQ.md#how-do-i-get-dep-to-authenticate-to-a-git-repo), SSH agents, etc. This assumption is necessary for dep's concurrent network activity to work. If your use case absolutely cannot support the use of any such environmental caching mechanism, [please weigh in on this issue]().
+
+Unfortunately, until dep [improves the observability of its ongoing I/O operations](), it cannot accurately report to the user which operations are actually underway at any given moment. This can make it difficult to differentiate from other hangs - credentials prompts, long network timeouts induced by firewalls, sluggish TCP when faced with packet loss, etc.
+
+### Bad local cache state
+
+> **Remediation tl;dr:** Remove the local cache dir: `rm -rf $GOPATH/pkg/dep/sources`.
+
+It is possible for parts of the [local cache](glossary.md#local-cache) maintained by dep to get into a bad state. This primarily happens when dep processes are forcibly terminated (e.g. Ctrl-C). This can, for example, terminate a `git` command partway through, leaving bad state on disk. By dep's definition, a [dirty git working copy]() is bad state.
+
+The error messages arising from bad local cache state often do not include full paths, so it may not be immediately obvious that problems are originating in the local cache. If full paths aren't included, then the best hint tends to be that the errors look like local VCS errors, but they're not on files from your own project.
+
+However, for the most part, **dep automatically discovers and recovers from bad local cache state problems**, rebounding back into a good state as it bootstraps each command execution. If you do encounter what appears to be a local cache problem from which dep does not automatically recover, then the fix is typically to just throw out the cache, `rm -rf $GOPATH/pkg/dep/sources`; dep will repopulate it automatically on the next run. However, if you have time, please preserve the local cache dir and report it as a bug!
+
+There are no known cases where, in the course of normal operations, dep can irreparably corrupt its own local cache. Any such case would be considered a critical bug in dep, and you should report it! If you think you've encountered such a case, it should have the following characteristics:
+
+* The error message you're seeing is consistent with some sort of disk state error in a downloaded source within `$GOPATH/pkg/dep/sources`
+* You can identify a bad state (generally: a vcs "status"-type command will either fail outright, or report a modified working tree) in a subdirectory of `$GOPATH/pkg/dep/sources` suggested by the above error
+* The exact same error recurs after removing the local cache dir and running the same command, **without** prematurely terminating the project (e.g. via Ctrl-C)
+
+### `vendor` write errors
+
+Dep may encounter errors while attempting to write out the `vendor` directory itself (any such errors will result in a full rollback; causing no changes to be made to disk). To help pinpoint where the problem may be, know that this is the flow for populating `vendor`:
+
+1. Allocate a new temporary directory within the system temporary directory.
+2. Rename the existing `vendor` directory to `vendor.orig`. Do this within the current project's root directory if possible; if not, rename and move it to the tempdir.
+3. Create a new `vendor` directory within the tempdir and concurrently populate it with all the projects named in `Gopkg.lock`.
+4. Move the new `vendor` directory into place in the current project's root directory.
+5. Delete the old `vendor` directory.
+
+Note: this flow will become more targeted after [vendor verification]() allows dep to identify and target the subset of projects currently in `vendor` that need to be changed.
+
+Known problems in this category include:
+
+* Insufficient space in the temporary directory will cause an error, triggering a rollback. However, because the rollback process cleans up files written so-far, the temporary partition won't actually be full after dep exits, which can be misleading.
+* Attempting to [re]move the original `vendor` directory can fail with permissions errors if any of the files therein are "open", in some editors/on some OSes (particularly Windows). [There's an issue for this]().
+
+## Logical failures
+
+Logical failures encompass everything that can happen within dep's logical problem-solving domain - after
+
+Some of these failures can be as straightforward as typos, and are just as easily resolved. Others, unfortunately, may necessitate forking and modifying an upstream project - although such cases are very rare.
+
+### Deduction failures
+
+Import path deduction, as detailed in the [deduction reference](deduction.md), has both static and dynamic phases. When neither of these phases is able to determine the source root for a given import path, it is considered to be a deduction failure. Deduction failures all contain this key error text:
+
+```bash
+...unable to deduce repository and source type for ""...
+```
+
+_Note: there are [more varied error messages for the small subset of cases](#malformed-import-paths) where an import path appears to be deducible, but is somehow malformed._
+
+When a deduction failure occurs on a given import path, the proximal cause will have been one of following five scenarios (arranged from most to least likely):
+
+* The import path was never deducible.
+* **Dynamic deduction failures:**
+ * The import path was, at one time, dynamically deducible, and the metadata service for it is up, but it is unreachable by dep.
+ * The import path was, at one time, dynamically deducible, but the metadata service for it is down.
+* **Static rule changes:**
+ * The import path cannot be statically deduced by the running version of dep, but a newer version of dep has added rules that can statically deduce it.
+ * The import path was once statically deducible, but the running version of dep has discontinued support for it.
+
+In all of these cases, your last recourse will be to add a [`source`](Gopkg.toml.md#source) directive to fix the problem. However, these directives are brittle, and should only be used when other options have been exhausted; also, until [this problem is solved](https://github.com/golang/dep/issues/860), even `source` may not be able to help.
+
+#### Undeducible paths
+
+> **Remediation tl;dr:** You made a typo; fix it. If not, you may need a `source`, but be sparing with those.
+
+The most likely cause of deduction failure is minor user error. Specifically, the user is the _current_ user (you), and the error is there is a mistyped import path somewhere in the current (your) project. The problem may be in your `Gopkg.toml`, or one of your imports, but the error message should point you directly at the problem, and the solution is usually obvious - e.g., "gihtub".
+
+Validation of the inputs from the current project are made fast and up front in dep, so these errors will tend to present themselves immediately. Between this fast validation, and the fact that projects are typically uncompilable, or at least not `go get`-able, with these kinds of errors, they tend to be caught early. This is why truly undeducible paths pop up primarily as temporary accidents while hacking on your own projects - you have to fix them to move on.
+
+That undeducibility is an immediate and hard blocker, however, has led to this being a sticking point for migration to dep. In particular, there are two issues:
+
+* Several other Go dependency management tools do allow specifying arbitrary VCS/source URLs, and [but support for that via `source` in dep is still pending](https://github.com/golang/dep/issues/860).
+* GitHub Enterprise only implements `go-get` HTTP metadata correctly for the root package of a repository. In practice, this makes all import paths pointing to GHE undeducible, and `source` can't help either without the aforementioned improvement.
+
+If the problem import path is in your current project, but the problem isn't an obvious typo, then you're likely experiencing a dynamic failure, or may need to check the [deduction reference](deduction.md) to understand what what a deducible import path looks like.
+
+#### Dynamic deduction failures
+
+Most dynamic deduction failures are either ephemeral network or service availability issues, and will go away by re-running the previous command. Always try that first.
+
+If the issue persists, and you're certain the import path should be deducible, network issues are the first culprit to check. The typical causes (VPN, firewalls) and remediation for when a metadata service is unreachable are the same as [when a source itself is unreachable](#persistent-network-failures).
+
+The next possibility is a metadata service that's permanently gone away. Whereas network errors are still reasonably common, it is rare to encounter an import path pointing to a defunct public metadata service. Consider: that one import path can render the entire project unfetchable and/or uncompilable, and neither of those are states that popular projects can afford to be in for long. So, being that most (public Go ecosystem) dependencies are on the more popular projects, as long as you're also depending on the more popular projects, you're unlikely to encounter this.
+
+Of course, defunct _private_ metadata services may be much more common, as they are subject to entirely different incentives.
+
+If you think you've encountered a defunct metadata service, try probing the domain portion of the import path directly to see if there is an HTTP(S) server there at all. If not, you can only force with `source` - assuming you know what source URL you should use. If not, you may need to refactor your code (if the problem is in your project), pick a different version of the problem dependency, or drop the problem dependency entirely; sometimes, you just have to get rid of dead code.
+
+#### Static rule changes
+
+> **Remediation tl;dr:** make sure you have the latest released version of dep.
+
+Static rule changes are very unlikely to be the cause of your deduction failures.
+
+It is plausible that dep will add new static deduction rules in the future. And it is possible that, if you have an older version of dep, and you collaborate with or pull in code from someone using a newer version of dep, then their code may take advantage of new import path patterns that your dep doesn't know about yet. But very, very few static rules additions are likely to ever be made to dep over its lifetime - and getting access to them is just a question of updating once.
+
+The final scenario - dep discontinuing support for a static deduction pattern - is included for clarity and completeness, but simply should never happen. Even if a hosting service covered by static rules today were to shut down, dep would retain the existing static rules; if hosted code had been migrated elsewhere, then dep would attempt to perform a remapping automatically. If no such remapping were possible, then dep would still recognize the basic host pattern, but may fall back on using malformed import path errors - the next topic - to informatively reject new imports from the host.
+
+#### Malformed import paths
+
+For the most part, static ("is it one of the handful of hosts we know?") and dynamic ("just do whatever the metadata service tells us to do") deduction are single-pass checks. However, both cases can perform some minor additional validation:
+
+* In static deduction, the rules are necessarily specific to each host, but most enforce allowable characters and schemes in URLs that are known to be required by the underlying host.
+* In dynamic deduction, responses from the metadata service are minimally validated to ensure that the source type and scheme are all supported, and that the URL contains valid characters.
+
+### Solving failures
+
+When `dep ensure` or `dep init` exit with an error message looking something like this:
+
+```bash
+$ dep init
+init failed: unable to solve the dependency graph: Solving failure: No versions of github.com/foo/bar met constraints:
+ v1.0.1: Could not introduce github.com/foo/bar@v1.13.1, as its subpackage github.com/foo/bar/foo is missing. (Package is required by (root).)
+ v1.0.0: Could not introduce github.com/foo/bar@v1.13.0, as...
+ v0.1.0: (another error)
+ master: (another error)
+```
+
+_Note: all three of the other hard failure types can sometimes be reported as the errors for individual versions in a list like this. This primarily happens because dep is in need of a [thorough refactor of its error handling](https://github.com/golang/dep/issues/288)._
+
+It means that the solver was unable to find a combination of versions for all dependencies that satisfy all the rules enforced by the solver. It is crucial to note that, just because dep provides a big list of reasons why each version failed _doesn't mean_ you have to address each one! That's just dep telling you why it ultimately couldn't use each of those versions in a solution.
+
+These rules, and specific remediations for failing to meet them, are described in detail in the section on [solver invariants](the-solver.md#solving-invariants). This section is about the steps to take when solving failures occur in general. But, to set context, here's a summary:
+
+* **`[[constraint]]` conflicts:** when projects in the dependency graph disagree on what [versions](gopkg.toml.md#version-rules) are acceptable for a project, or where to [source](gopkg.toml.md#source) it from.
+ * Remediation will usually be either changing a `[[constraint]]` or adding an `[[override]]`, but genuine conflicts may require forking and hacking code.
+* **Package validity failure:** when an imported package is quite obviously not capable of being built.
+ * There usually isn't much remediation here beyond "stop importing that," as it indicates something broken at a particular version.
+* **Import comment failure:** when the import path used to address a package differs from the [import comment](https://golang.org/cmd/go/#hdr-Import_path_checking) the package uses to specify how it should be imported.
+ * Remediation is to use the specified import path, instead of whichever one you used.
+* **Case-only import variation failure:** when two equal-except-for-case imports exist in the same build.
+ * Remediation is to pick one case variation to use throughout your project, then manually update all projects in your depgraph to use the new casing.
+
+
+Let's break down the process of addressing a solving failure into a series of steps:
+
+1. First, look through the failed versions list for a version of the dependency that works for you (or a failure that seems fixable), then try to work that one out. Often enough, you'll see a single failure repeated across the entire version list, which makes it pretty clear what problem you need to solve.
+2. Take the remediation steps specific to that failure.
+3. Re-run the same command you ran that produced the failure. There are three possible outcomes:
+ 1. Success!
+ 2. Your fix was ineffective - the same failure re-occurs. Either re-examine your fix (step 2), or look for a new failure to fix (step 1).
+ 3. Your fix was effective, but some new failure arose. Return to step 1 with the new failure list.
+
diff --git a/docs/glossary.md b/docs/glossary.md
new file mode 100644
index 0000000000..0cb3aab932
--- /dev/null
+++ b/docs/glossary.md
@@ -0,0 +1,139 @@
+---
+id: glossary
+title: Glossary
+---
+
+dep uses some specialized terminology. Learn about it here!
+
+* [Atom](#atom)
+* [Cache lock](#cache-lock)
+* [Constraint](#constraint)
+* [Current Project](#current-project)
+* [Deducible](#deducible)
+* [Deduction](#deduction)
+* [Direct Dependency](#direct-dependency)
+* [External Import](#external-import)
+* [GPS](#gps)
+* [Local cache](#local-cache)
+* [Lock](#lock)
+* [Manifest](#manifest)
+* [Metadata Service](#metadata-service)
+* [Override](#override)
+* [Project](#project)
+* [Project Root](#project-root)
+* [Solver](#solver)
+* [Source](#source)
+* [Source Root](#source-root)
+* [Sync](#sync)
+* [Transitive Dependency](#transitive-dependency)
+
+---
+
+### Atom
+
+Atoms are a source at a particular version. In practice, this means a two-tuple of [project root](#project-root) and version, e.g. `github.com/foo/bar@master`. Atoms are primarily internal to the [solver](#solver), and the term is rarely used elsewhere.
+
+### Cache lock
+
+Also "cache lock file." A file, named `sm.lock`, used to ensure only a single dep process operates on the [local cache](#local-cache) at a time, as it is unsafe in dep's current design for multiple processes to access the local cache.
+
+### Constraint
+
+Constraints have both a narrow and a looser meaning. The narrow sense refers to a [`[[constraint]]`](Gopkg.toml.md#constraint) stanza in `Gopkg.toml`. However, in some contexts, the word may be used more loosely to refer to the idea of applying rules and requirements to dependency management in general.
+
+### Current Project
+
+The project on which dep is operating - writing its `Gopkg.lock` and populating its `vendor` directory.
+
+Also called the "root project."
+
+### Deducible
+
+A shorthand way of referring to whether or not import path [deduction](#deduction) will return successfully for a given import path. "Undeducible" is also often used, to refer to an import path for which deduction fails.
+
+### Deduction
+
+Deduction is the process of determining the subset of an import path that corresponds to a source root. Some patterns are known a priori (static); others must be discovered via network requests (dynamic). See the reference on [import path deduction](deduction.md) for specifics.
+
+### Direct Dependency
+
+A project's direct dependencies are those that it _imports_ from one or more of its packages, or includes in its [`required`](Gopkg.toml.md#required) list in `Gopkg.toml`.
+
+ If each letter in `A -> B -> C -> D` represents a distinct project containing only a single package, and `->` indicates an import statement, then `B` is `A`'s direct dependency, whereas `C` and `D` are [transitive dependencies](#transitive-dependency) of `A`.
+
+Dep only incorporates the `required` rules from the [current project's](#current-project) `Gopkg.toml`. Therefore, if `=>` represents `required` rather than a standard import, and `A -> B => C`, then `C` is a direct dependency of `B` _only_ when `B` is the current project. Because the `B`-to-`C` link does not exist when `A` is the current project, then `C` won't actually be in the graph at all.
+
+### External Import
+
+An `import` statement that points to a package in a project other than the one in which it originates. For example, an `import` in package `github.com/foo/bar` will be considered an external import if it points to anything _other_ than stdlib or `github.com/foo/bar/*`.
+
+### GPS
+
+Stands for "Go packaging solver", it is [a subtree of library-style packages within dep](https://godoc.org/github.com/golang/dep/gps), and is the engine around which dep is built. Most commonly referred to as "gps."
+
+### Local cache
+
+dep maintains its own, pristine set of upstream sources (so, generally, git repository clones). This is kept separate from `$GOPATH/src` so that there is no obligation to maintain disk state within `$GOPATH`, as dep frequently needs to change disk state in order to do its work.
+
+By default, the local cache lives at `$GOPATH/pkg/dep`. If you have multiple `$GOPATH` entries, dep will use whichever is the logical parent of the process' working directory. Alternatively, the location can be forced via the `DEPCACHEDIR` environment variable.
+
+### Lock
+
+A generic term, used across many language package managers, for the kind of information dep keeps in a `Gopkg.lock` file.
+
+### Manifest
+
+A generic term, used across many language package managers, for the kind of information dep keeps in a `Gopkg.toml` file.
+
+### Metadata Service
+
+An HTTP service that, when it receives an HTTP request containing a `go-get=1` in the query string, treats interprets the path portion of the request as an import path, and responds by embedding data in HTML `` tags that indicate the type and URL of of the underlying source root. This is the server-side component of dynamic [deduction](#deduction).
+
+The behavior of metadata services is defined in the [Go documentation on remote import paths](https://golang.org/cmd/go/#hdr-Remote_import_paths).
+
+Variously referenced as "HTTP metadata service", "`go-get` HTTP metadata service", "`go-get` service", etc.
+
+### Override
+
+An override is a [`[[override]]`](Gopkg.toml.md#override) stanza in `Gopkg.toml`.
+
+### Project
+
+A project is a tree of Go packages. Projects cannot be nested. See [Project Root](#project-root) for more information about how the root of the tree is determined.
+
+### Project Root
+
+The root import path for a project. A project root is defined as:
+
+* For the current project, the location of the `Gopkg.toml` file defines the project root
+* For dependencies, the root of the network [source](#source) (VCS repository) is treated as the project root
+
+These are generally one and the same, though not always. When using dep inside a monorepo, multiple `Gopkg.toml` files may exist at subpaths for discrete projects, designating each of those import paths as Project Roots. This works fine when working directly on those projects. If, however, any project not in the repository seeks to import the monorepo, dep will treat the monorepo's as one big Project, with the root directory being the Project Root; it will disregard any and all `Gopkg.toml` files in subdirectories.
+
+This may also be referred to as the "import root" or "root import path."
+
+### Solver
+
+"The solver" is a reference to the domain-specific SAT solver contained in [gps](#gps). More detail can be found on its [reference page](the-solver.md).
+
+### Source
+
+The remote entities that hold versioned code. Sources are specifically the entity containing the code, not any particular version of thecode itself.
+
+"Source" is used in lieu of "VCS" because Go package management tools will soon learn to use more than just VCS systems.
+
+### Source Root
+
+The portion of an import path that corresponds to the network location of a source. This is similar to [Project Root](#project-root), but refers strictly to the second, network-oriented definition.
+
+### Sync
+
+Dep's interaction model is based around the idea of maintaining a well-defined relationship between your project's import statements and `Gopkg.toml`, and your project's `Gopkg.lock` - keeping them "in sync". When the `Gopkg.lock` has more or fewer entries than are necessary, or entries that are incompatible with constraint rules established in `Gopkg.toml`, your project is "out of sync".
+
+This concept is explored in detail on [the ensure mechanics reference page](ensure-mechanics.md#staying-in-sync).
+
+### Transitive Dependency
+
+A project's transitive dependencies are those dependencies that it does not import itself, but are imported by one of its dependencies.
+
+If each letter in `A -> B -> C -> D` represents a distinct project containing only a single package, and `->` indicates an import statement, then `C` and `D` are `A`'s transitive dependencies, whereas `B` is a [direct dependency](#transitive-dependency) of `A`.
\ No newline at end of file
diff --git a/docs/installation.md b/docs/installation.md
new file mode 100644
index 0000000000..75171815b8
--- /dev/null
+++ b/docs/installation.md
@@ -0,0 +1,19 @@
+---
+title: Installation
+---
+
+It is strongly recommended that you use a released version of dep. While tip is never purposefully broken, its stability is not guaranteed.
+
+Pre-compiled binaries are available on the [releases](https://github.com/golang/dep/releases) page. On MacOS, you can also install or upgrade to the latest released version with Homebrew:
+
+```sh
+$ brew install dep
+$ brew upgrade dep
+```
+
+If you want to hack on dep, you can install via `go get`:
+
+```sh
+go get -u github.com/golang/dep/cmd/dep
+```
+Note that dep requires a functioning Go workspace and GOPATH. If you're unfamiliar with Go workspaces and GOPATH, have a look at [the language documentation](https://golang.org/doc/code.html#Organization) and get your local workspace set up. Dep's model could lead to being able to work without GOPATH, but we're not there yet.
\ No newline at end of file
diff --git a/docs/introduction.md b/docs/introduction.md
new file mode 100644
index 0000000000..c52d93473f
--- /dev/null
+++ b/docs/introduction.md
@@ -0,0 +1,11 @@
+---
+id: introduction
+title: Getting Started
+---
+
+
+Welcome! This is documentation for dep, the "official experiment" dependency management tool for the Go language. Dep is a tool intended primarily for use by developers, to support the work of actually writing and shipping code. It is _not_ intended for end users who are installing Go software - that's what `go get` does.
+
+This site has both guides and reference documents. The guides are practical explanations of how to actually do things with dep, whereas the reference material provides deeper dives on specific topics. Of particular note is the [glossary](#glossary.md) - if you're unfamiliar with terminology used in this documentation, make sure to check there!
+
+After [installing dep](installation.md), if you're using it for the first time, check out [Creating a New Project](new-project.md). Or, if you have an existing Go project that you want to convert to dep, [Migrating to Dep](migrating.md) is probably the place to start.
\ No newline at end of file
diff --git a/docs/migrating.md b/docs/migrating.md
new file mode 100644
index 0000000000..c48843b7d3
--- /dev/null
+++ b/docs/migrating.md
@@ -0,0 +1,103 @@
+---
+title: Migrating to Dep
+---
+
+Ideally, migrating an existing Go project to dep is straightforward:
+
+```bash
+$ cd $GOPATH/src/path/to/project/root
+$ dep init
+```
+
+For many projects, this will just work. `dep init` will make educated guesses about what versions to use for your dependencies, generate sane `Gopkg.toml`, `Gopkg.lock`, and `vendor/`, and if your tests pass and builds work, then you're probably done. (If so, congratulations! You should check out [Daily Dep](daily-dep.md) next.)
+
+The migration process is still difficult for some projects. If you're trying dep for the first time, this can be particularly frustrating, as you're trying to simultaneously learn how to use dep, and how your project *should* be managed in dep. The good news is, `dep init` is usually the big difficulty hump; once you're over it, things get much easier.
+
+The goal of this guide is to provide enough information for you to reason about what's happening during `dep init`, so that you can at least understand what class of problems you're encountering, and what steps you might take to address them. To that end, we'll start with an overview of what `dep init` is doing.
+
+> Note: the first run of `dep init` can take quite a long time, as dep is creating fresh clones of all your dependencies into a special location, `$GOPATH/pkg/dep/sources/`. This is necessary for dep's normal operations, and is largely a one-time cost.
+
+## `dep init` mechanics
+
+When migrating existing projects, the primary goal of `dep init` is to automate as much of the work of creating a `Gopkg.toml` as possible. This is necessarily a heuristic goal, as dep may not have a 1:1 correspondence for everything you may have done before. As such, it's important to only expect that `dep init`'s automated migrations are operating on a best-effort basis.
+
+The behavior of `dep init` varies depending on what's in your existing codebase, and the flags that are passed to it. However, it always proceeds in two phases:
+
+1. *Inference phase:* Infer, from various sources, rules and hints about which versions of dependencies to use.
+2. *Solving phase:* Work out a solution that is acceptable under dep's model, while incorporating the above inferences as much as possible.
+
+### The Inference Phase
+
+The inference phase is where `dep init`'s behavior varies. By default, `dep init` will look in your codebase for metadata files from [other Go package management tools that it understands](https://github.com/golang/dep/tree/master/internal/importers), and attempt to automatically migrate the data in these files into concepts that make sense in a dep. Depending on the tool and the particular values dep finds, metadata from the tool may be treated as either:
+
+* A hint: information that dep will try to honor in the solving phase, but will discard if it cannot find a solution that respects the hint.
+* A rule: information that must obeyed in the solving phase, and will ultimately appear in `Gopkg.toml` as a `[[constraint]]`. If the solving phase cannot find a solution that satisfies the rules, it will fail with an informative message.
+
+There are three circumstances that can lead dep not to make any tool-based inferences:
+
+- Your project doesn't use a package management tool
+- dep doesn't yet support the tool you use yet
+- You tell it not to, by running `dep init -skip-tools`
+
+After tool-based inference is complete, dep will normally proceed to the solving phase. However, if the user passes the `-gopath` flag, dep will first try to fill in any holes in the inferences drawn from tool metadata by checking the current project's containing GOPATH. Only hints are gleaned from GOPATH, and they will never supersede inferences from tool metadata. If you want to put GOPATH fully in charge, pass both flags: `dep init -skip-tools -gopath`.
+
+Once dep has compiled its set of inferences, it proceeds to solving.
+
+### The Solving Phase
+
+Once the inference phase is completed, the set of rules and hints dep has assembled will be passed to its [solver](solver.md) to work out a transitively complete depgraph, which will ultimately be recorded as the `Gopkg.lock`. This is the same solving process used by `dep ensure`, and completing it successfully means that dep has found a combination of dependency versions that respects all inferred rules, and as many inferred hints as possible. If solving succeeds, then the hard work is done; most of what remains is writing out `Gopkg.toml`, `Gopkg.lock`, and `vendor/`.
+
+The solver returns a solution, which itself is just [a representation](https://godoc.org/github.com/golang/dep/gps#Solution) of [the data stored in a `Gopkg.lock`](https://godoc.org/github.com/golang/dep#Lock): a transitively-complete, reproducible snapshot of the entire dependency graph. Writing out the `Gopkg.lock` from a solution is little more than a copy-and-encode operation, and writing `vendor/` is a matter of placing each project listed in the solution into its appropriate place, at the designated revision. This is exactly the same as `dep ensure`'s behavior.
+
+`Gopkg.toml` is a little different. There's no guarantee that rules were inferred for all (or even any) of your project's dependencies, but we still want to populate `Gopkg.toml` with sane values. So, for any dependency for which a rule was not inferred, dep inspects the solution to see what version was ultimately selected, and creates a constraint based on that:
+
+* If a branch, like `master`, was picked in the solution, then `branch: "master"` will appear in `Gopkg.toml`.
+* If a semantic version-compliant version was selected, like `v1.2.0`, then that will be specified as a minimum version: `version: "v1.2.0"`.
+* If only a raw revision was selected, nothing will be put in `Gopkg.toml`. While dep does allow `revision: "âŚ"` constraints in `Gopkg.toml`, use of them is considered an antipattern, so dep does not create them automatically in order to avoid implicitly encouraging their use.
+
+## Dealing with failures
+
+First and foremost, make sure that you're running `dep init` with the `-v` flag. That will provide a lot more information.
+
+`dep init`, like dep in general, has both hard and soft failure modes. Hard failures result in the process hanging or aborting entirely, without anything being written to disk. Soft failures may or may not include warnings, but do ultimately write out a `Gopkg.toml`, `Gopkg.lock`, and `vendor/` - just, not the ones you wanted. Before we dig into those, though, let's set some context.
+
+While dep contributors have invested enormous effort into creating automated migration paths into dep, these paths will always best-effort and imprecise. It's simply not always possible to convert from other tools or GOPATH with full fidelity. dep is an opinionated tool, with a correspondingly opinionated model, and that model does sometimes fundamentally differ from that of other tools. Sometimes these model mismatches result in hard failures, sometimes soft, and sometimes there's no harm at all.
+
+Because these are deep assumptions, their symptoms can be varied and surprising. Keeping these assumptions in mind could save you some hair-pulling later on.
+
+- dep does not allow nested `vendor/` directories; it flattens all dependencies to the topmost `vendor/` directory, at the root of your project. This is foundational to dep's model, and cannot be disabled.
+- dep wholly controls `vendor`, and will blow away any manual changes or additions made to it that deviate from the version of an upstream source dep selects.
+- dep requires that all packages from a given project/repository be at the same version.
+- dep generally does not care about what's on your GOPATH; it deals exclusively with projects sourced from remote network locations. (Hint inference is the only exception to this; once solving begins, GOPATH - and any custom changes you've made to code therein - is ignored.)
+- dep generally prefers semantic versioning-tagged releases to branches (when not given any additional rules). This is a significant shift from the "default branch" model of `go get` and some other tools. It can result in dep making surprising choices for dependencies for which it could not infer a rule.
+- dep assumes that all generated code exists, and has been committed to the source.
+
+A small number of projects that have reported being unable, thus far, to find a reasonable way of adapting to these requirements. If you can't figure out how to make your project fit, please file an issue - while dep necessarily cannot accommodate every single existing approach, it is dep's goal is define rules to which all Go projects can reasonably adapt.
+
+### Hard failures
+
+All of the hard failure modes are covered extensively in the reference on [failure modes](failure-modes.md).
+
+Because the solver, and all its possible failures, are the same for `dep init` as for `dep ensure`, there's a separate section for understanding and dealing with them: [dealing with solving failures](failure-modes.md#solving-failures). It can be trickier with `dep init`, however, as many remediations require tweaking `Gopkg.toml`.
+
+Unfortunately, `dep init` does not write out a partial `Gopkg.toml` when it fails. This is a known, critical problem, and [we have an open issue (help wanted!)](https://github.com/golang/dep/issues/909).
+
+In the meantime, if the particular errors you are encountering do entail `Gopkg.toml` tweaks, you unfortunately may have to do without the automation of `dep init`: create an empty [`Gopkg.toml`](Gopkg.toml.md), and populate it with rules by hand. Before resorting to that, make sure you've run `dep init` with various combinations of the inferencing flags (`-skip-tools` and `-gopath`) to see if they can at least give you something to start from.
+
+### Soft failures
+
+Soft failures are cases where `dep init` appears to exit cleanly, but a subsequent `go build` or `go test` fails. Dep's soft failures are usually more drastically than subtly wrong - e.g., an explosion of type errors when you try to build, because a wildly incorrect version for some dependency got selected.
+
+If you do encounter problems like this, `dep status` is your first diagnostic step; it will report what versions were selected for all your dependencies. It may be clear which dependencies are a problem simply from your building or testing error messages. If not, compare the `dep status` list against the versions recorded by your previous tool to find the differences.
+
+Once you've identified the problematic dependenc(ies), the next step is exerting appropriate controls over them via `Gopkg.toml`.
+
+For each of the following items, assume that you should run `dep ensure` after making the suggested change. If that fails, consult [dealing with solving failures]().
+
+* If the wrong `[[constraint]]` was inferred for one of your direct dependencies, change it. Then, file an issue against dep (please!) - while `dep init` may choose to omit a constraint, converting one incorrectly is considered a bug.
+* If one of your transitive dependencies is at the wrong version, define an `[[override]]` on it to force it to the version you need.
+ * If the version you need is a specific git commit, it's preferable to instead manually change the `revision` to the desired hash in `Gopkg.lock` for that project, then drop the `version` or `branch` fields (if any).
+* If one of your direct dependencies is at the wrong version and there's no `[[constraint]]` on it in `Gopkg.toml` already, then define an appropriate one.
+ * As with the transitive dependencies, if the version you need is a specific git commit, prefer doing that manually in `Gopkg.lock`.
+
+Hopefully this information is enough to get you through your project's migration to dep. If not, please feel free to file an issue, or join us in [#vendor on the Gopher's slack](https://gophers.slack.com/messages/C0M5YP9LN) for help!
\ No newline at end of file
diff --git a/docs/new-project.md b/docs/new-project.md
new file mode 100644
index 0000000000..63beb68b6c
--- /dev/null
+++ b/docs/new-project.md
@@ -0,0 +1,37 @@
+---
+title: Creating a New Project
+---
+
+Once you have [dep installed](installation.md), we need to pick a root directory for our project. This is primarily about picking the right root import path, and corresponding directory beneath `$GOPATH/src`, at which to situate your project. There are four basic possibilities:
+
+1. A project that is now or eventually may be shared with or imported by other projects/people. In this case, pick the import path corresponding to the VCS root of its intended network location, e.g., `$GOPATH/src/github.com/golang/dep`.
+2. An entirely local project - one that you have no intention of pushing to a central server (like GitHub). In this case, any subdirectory beneath `$GOPATH/src` will do.
+3. A project that needs to live within a large repository, such as a company monorepo. This may be possible, but gets more complicated. (Unfortunately, no docs on this yet - coming soon!)
+4. Treat the entire GOPATH as a single project, where `$GOPATH/src` is the root. dep [does not currently support this](https://github.com/golang/dep/issues/417) - it needs a non-empty import path to treat as the root of your project's import namespace.
+
+We'll assume the first case, as it's the most common. Create and move into the directory:
+
+```bash
+$ mkdir -p $GOPATH/src/github.com/me/example
+$ cd $GOPATH/src/github.com/me/example
+```
+
+Now, we'll initialize the project:
+
+```bash
+$ dep init
+$ ls
+Gopkg.toml Gopkg.lock vendor/
+```
+
+In a new project like this one, both files and the `vendor` directory will be effectively empty.
+
+This would also be a good time to set up a version control, such as [git](https://git-scm.com/). While dep in no way requires version control for your project, it can make inspecting the changes made by normal dep operations easier. Plus, it's basically best practice #1 of modern software development!
+
+At this point, our project is initialized, and we're ready to start writing code. You can open up a `.go` file in an editor and start hacking away. Or, if you already know some projects you'll need, you can pre-populate your `vendor` directory with them:
+
+```bash
+$ dep ensure -add github.com/foo/bar github.com/baz/quux
+```
+
+Now you're ready to move on to [Daily Dep](daily-dep.md)!
\ No newline at end of file
diff --git a/docs/the-solver.md b/docs/the-solver.md
new file mode 100644
index 0000000000..25854dbd5f
--- /dev/null
+++ b/docs/the-solver.md
@@ -0,0 +1,84 @@
+---
+title: The Solver
+---
+
+At the heart of dep is a constraint solving engine - a [CDCL]()-style [SMT]() solver, tailored specifically to the domain of Go package management. It lives in the `github.com/golang/dep/gps` package, and is where the work of determining a valid, transitively complete dependency graph (aka, the contents of `Gopkg.lock`) is performed.
+
+This page will eventually detail the solver's mechanics, but in the meantime, there are [docs for an older version of the solver](https://github.com/sdboyer/gps/wiki/gps-for-Contributors) that are still accurate enough to provide a rough picture of its behavior.
+
+## Solving invariants
+
+The solver guarantees certain invariants in every complete solution it returns. Each invariant is explored in detail later, but they can be summarized as follows:
+
+* All rules specified in activated `[[constraint]]` stanzas in both the current project and dependency projects will be satisfied, unless superseded by a `[[override]]` stanza in the current project.
+* For all import paths pointing into a given project, the version of the project selected will contain "valid" Go packages in the corresponding directory.
+* If an [import comment](https://golang.org/cmd/go/#hdr-Import_path_checking) is specified by a package, any import paths addressing that package will be of the form specified in the comment.
+* For any given import path, all instances of that import path will use the exact same casing.
+
+The solver is an iterative algorithm, working its way project-by-project through possible dependency graphs. In order to select a project, it must first prove that, to the best of its current knowledge, all of the above conditions are met. When the solver cannot find a solution, failure is defined in terms of a project's version's inability to meet one of the above criteria.
+
+### `[[constraint]]` rules
+
+As described in the `Gopkg.toml` docs, each [`[[constraint]]`](gopkg.toml.md#constraint) stanza is associated with a single project, and each stanza can contain both [a version rule](Gopkg.toml.md#version-rules) and a [source rule](Gopkg.toml.md#source). For any given project `P`, all dependers on `P` whose constraint rules are "activated" must express mutually compatible rules. That means:
+
+* For version rules, all activated constraints on `P` must [intersect](https://en.wikipedia.org/wiki/Intersection_(set_theory)), and and there must be at least one published version must exist in the intersecting space. Intersection varies depending on version rule type:
+ * For `revision` and `branch`, it must be a string-literal match.
+ * For `version`, if the string is not a valid semantic version, then it must be a string-literal match.
+ * For `version` that are valid semantic version ranges, intersection is standard set-theoretic intersection of the possible values in each range range. Semantic versions without ranges are treated as a single element set (e.g., `version = "=v1.0.0"`) for intersection purposes.
+* For `source` rules, all projects with a particular dependency must either express a string-equal `source` value, or have no `source` value at all. This allows one dependency to specify an alternate `source`, and other dependencies to play along if they have no opinion. (NB: this play-along behavior may be removed in a future version.)
+
+If the current project's `Gopkg.toml` has an [`[[override]]`](gopkg.toml.md#override) on `P`, then all `[[constraint]]` declarations (including any in the current project) are ignored, obviating the possibility of conflict.
+
+#### Activated constraints
+
+Just because a `[[constraint]]` on `P` appears in `D`'s `Gopkg.toml` doesn't necessarily mean the constraint on `P` is considered active. A package in `P` must be imported by a package in `D` - and, if `D` is not the current project, then one of its packages importing `P` must also be imported.
+
+Given the following dependency graph, where `C` is the current project:
+
+```
+C -> D
+C -> P
+D/subpkg -> P
+```
+
+Even though `C` imports `D`, because `D/subpkg` is not reachable through `C`'s imports, any `[[constraint]]` declared in `D`'s `Gopkg.toml`' on `P` will not be active.
+
+The reasoning behind this behavior is explained further [in this gist](https://gist.github.com/sdboyer/b0813bf2b9dba58a335a85092085472f).
+
+### Package validity
+
+dep does only superficial validaton of code in packages, but it does do some. For a package to be considered valid, three things must be true:
+
+* There must be at least one `.go` file.
+* No errors are reported from [`parser.ParseFile()`](https://golang.org/pkg/go/parser/#ParseFile) when called with [`parser.ImportsOnly|parser.ParseComments`](https://golang.org/pkg/go/parser/#Mode) on any file in the package directory.
+
+- The package must not contain any [local imports](https://golang.org/pkg/go/build/#IsLocalImport). Note: this disallows something the standard toolchain compiler does allow, which is normally means dep must support it. However, local imports are already strongly discouraged in the toolchain, and skipping them allows dep to avoid [dot-dot hell](https://9p.io/sys/doc/lexnames.html).
+
+If any of the above are untrue, the code in a package is considered malformed, and cannot be used in a solution.
+
+It is not immediately disqualifying for a project to merely contain some invalid packages; they must be imported for the invariant to be broken. So, if `P/invalid` is a subpackage with invalid code in it, then it is still acceptable if `C -> P`. However, internal imports within `P` are also considered, so this import chain:
+
+```
+C -> P
+P -> invalid
+```
+
+will result in an error, as `C` imports a package that will necessarily result in the import of an invalid package.
+
+### Import comments
+
+Go 1.4 introduced [import comments](https://golang.org/cmd/go/#hdr-Import_path_checking), which allow a package to specify the import path that must be used when addressing it. For example, `import "github.com/golang/net/dict"` would point to a valid package, but because [it uses an import comment](https://github.com/golang/net/blob/42fe2e1c20de1054d3d30f82cc9fb5b41e2e3767/dict/dict.go#L7) to enforce that it must be imported as `golang.org/x/net/dict`, dep would reject any project attempting to import it directly through its github address.
+
+Because most projects are consistent about their import comment use over time, this issue typically only occurs when adding a new dependency or attempting to revive an older project.
+
+> Note: dep does not currently enforce this rule, but [it needs to](https://github.com/golang/dep/issues/902).
+
+**Remediation:** change the code by fixing the offending import paths. If the offending import paths are not in the current project and you don't directly control the dependency, you'll have to fork and fix it yourself, then use `source` to point to your fork.
+
+### Import path casing
+
+The standard Go toolchain compiler [does not](https://github.com/golang/go/issues/4773) [allow](https://github.com/golang/go/issues/20264) import paths that vary only in case to exist in the same build. For example, either of `github.com/sirupsen/logrus` or `github.com/Sirupsen/logrus` are fine (GitHub treats usernames as case-insensitive) individually, but they cannot exist in the same project.
+
+The solver keeps track of the accepted case variant for each import path it's processed. Any subsequent projects it sees that introduces a case-only variation for a known import path will be rejected.
+
+**Remediation:** Pick a casing variation (all lowercase is usually the right answer), and enforce it universally across the depgraph. As it has to be respected in all dependencies, as well, this may necessitate pull requests and possibly forking of dependencies, if you don't control them directly.
\ No newline at end of file
diff --git a/website/.gitignore b/website/.gitignore
new file mode 100644
index 0000000000..aeedda9bfc
--- /dev/null
+++ b/website/.gitignore
@@ -0,0 +1,11 @@
+node_modules
+.DS_Store
+lib/core/metadata.js
+lib/core/MetadataBlog.js
+website/translated_docs
+website/build/
+website/yarn.lock
+website/node_modules
+
+website/i18n/*
+!website/i18n/en.json
diff --git a/website/blog/2018-01-23-announce-v0.4.0.md b/website/blog/2018-01-23-announce-v0.4.0.md
new file mode 100644
index 0000000000..ad94a0927b
--- /dev/null
+++ b/website/blog/2018-01-23-announce-v0.4.0.md
@@ -0,0 +1,39 @@
+---
+title: Announcing dep v0.4.0 (with docs!)
+author: sam boyer
+authorURL: http://twitter.com/sdboyer
+---
+
+v0.4.0 of dep [has been released](https://github.com/golang/dep/releases/tag/v0.4.0) - and along with it, this site for documentation and announcements about dep! And, being that it's been nearly six months since [the last dep status update](https://sdboyer.io/dep-status/2017-08-17/) (which are now officially discontinued, in favor of this blog), and the roadmap hasn't been substantially updated in even longer, we'll use this release as an excuse to bring a bunch of things up to speed.
+
+### A new dep release!
+
+After three months of work, the next version of dep is stable and ready for public use. The big headline changes are:
+
+* `dep prune` no longer exists as a separate command. It has been absorbed into `dep ensure`, and its behavior can now be more granularly controlled by [directives in `Gopkg.toml`](https://golang.github.io/dep/docs/Gopkg.toml.html#prune). Calls to `dep prune` will not fail now, but will in future versions, so update your scripts!
+* Support for govendor and glock have been added; `dep init` can now read their metadata files and attempt to automatically convert projects managed by those tools.
+
+Additional information is available in [the release notes](https://github.com/golang/dep/releases/tag/v0.4.0). The other major addition is this documentation site!
+
+### Docs docs docs
+
+Dep has had a documentation problem for a while. Having a single-command interface helped us get by with having only an FAQ, but as time wore on, it became increasingly clear that we needed a comprehensive set of documentation if people were to really feel comfortable with the tool.
+
+This site, which is automatically generated from the [docs directory](https://github.com/golang/dep/tree/master/docs) within the dep repository by [docusaurus](http://docusaurus.io/), is now that comprehensive source of docs. More so than any individual bit of information, it provides some broader benefits:
+
+* New user guides - reference documentation is not what folks need when starting with a new tool. Step-by-step instructions are. Now [we have that](https://golang.github.io/dep/docs/introduction.html), and it caters to users who are not only new to dep, but also to Go in general.
+* Thematic organization of content - up until now, we were somewhat haphazardly flinging information into the FAQ. The body of documentation here is organized from the ground up, which will hopefully make it both more useful and easier to maintain.
+* Versioning - all of the docs are snapshotted on each release, and users can [select the version of the docs](https://golang.github.io/dep/versions.html) they want to view. Ideally, everyone should always be able to use the latest version, but this at least means you're not penalized if that's not feasible for you/your organization.
+* A blog - you're reading it! This is great, as it provides us a canonical place to circulate information about what's happening with the project.
+
+At the same time, the docs aren't quite comprehensive _yet_. There's more reference material and guides to be written. For example, we're still missing a guide for project maintainers on how to make releases that align well with dep's happy path.
+
+Also, now that we have this whole docs apparatus, it would be particularly awesome if someone were to step up to help as a [docs maintainer](https://github.com/golang/dep/issues/629#issuecomment-359922251)! Also also, the CSS on this site is terrible, and
+
+### The future
+
+Right now, there's two aspects to the future of dep. One is the roadmap of changes and features that make sense for dep as it exists today, in this standalone context. The other is the roadmap for moving dep into the toolchain.
+
+For the former, we have a fair bit of work underway that, now that this release is out the door, we can move on quickly. That includes major performance improvements, solver improvements to pick a sane version more of the time with less manual intervention, allowing the `source` field to work the way [most people expect it to](https://github.com/golang/dep/issues/860), and others. The goal is also to move dep towards a more regular release schedule.
+
+With respect to dep's movement towards the toolchain, discussions have already been ongoing between dep folks and the Go team for months. Movement into the toolchain is not a simple process. Some rules that dep, as a standalone tool, had to accept as law, become negotiable (for example, the semantics of vendor directories). There's also the question of how to best fit dep's commands themselves into the `go` tool. These present both interesting design opportunities and considerable risk. More information and opportunities for comment will be coming as we move into the Go 1.10 cycle. As has always been the plan, though, dep will continue to exist as a standalone tool until the toolchain has evolved sufficiently to supplant it.
\ No newline at end of file
diff --git a/website/core/Footer.js b/website/core/Footer.js
new file mode 100644
index 0000000000..98956ad5ec
--- /dev/null
+++ b/website/core/Footer.js
@@ -0,0 +1,29 @@
+const React = require('react');
+
+const siteConfig = require(process.cwd() + '/siteConfig.js');
+
+class Footer extends React.Component {
+ render() {
+ const currentYear = new Date().getFullYear();
+ return (
+
+ );
+ }
+}
+
+module.exports = Footer;
diff --git a/website/i18n/en.json b/website/i18n/en.json
new file mode 100644
index 0000000000..caf77a3dba
--- /dev/null
+++ b/website/i18n/en.json
@@ -0,0 +1,30 @@
+{
+ "_comment": "This file is auto-generated by write-translations.js",
+ "localized-strings": {
+ "next": "Next",
+ "previous": "Previous",
+ "tagline": "Dependency management for Go",
+ "daily-dep": "Daily Dep",
+ "deduction": "Import Path Deduction",
+ "ensure-mechanics": "Models and Mechanisms",
+ "failure-modes": "Failure Modes",
+ "FAQ": "FAQ",
+ "glossary": "Glossary",
+ "Gopkg.lock": "Gopkg.lock",
+ "Gopkg.toml": "Gopkg.toml",
+ "installation": "Installation",
+ "introduction": "Getting Started",
+ "migrating": "Migrating to Dep",
+ "new-project": "Creating a New Project",
+ "the-solver": "The Solver",
+ "Documentation": "Documentation",
+ "Blog": "Blog",
+ "Guides": "Guides",
+ "References": "References"
+ },
+ "pages-strings": {
+ "Help Translate|recruit community translators for your project": "Help Translate",
+ "Edit this Doc|recruitment message asking to edit the doc source": "Edit",
+ "Translate this Doc|recruitment message asking to translate the docs": "Translate"
+ }
+}
diff --git a/website/package.json b/website/package.json
new file mode 100644
index 0000000000..ec2e7d7460
--- /dev/null
+++ b/website/package.json
@@ -0,0 +1,14 @@
+{
+ "scripts": {
+ "examples": "docusaurus-examples",
+ "start": "docusaurus-start",
+ "build": "docusaurus-build",
+ "publish-gh-pages": "docusaurus-publish",
+ "write-translations": "docusaurus-write-translations",
+ "version": "docusaurus-version",
+ "rename-version": "docusaurus-rename-version"
+ },
+ "devDependencies": {
+ "docusaurus": "^1.0.5"
+ }
+}
diff --git a/website/pages/en/help.js b/website/pages/en/help.js
new file mode 100755
index 0000000000..0a63c19e49
--- /dev/null
+++ b/website/pages/en/help.js
@@ -0,0 +1,43 @@
+const React = require('react');
+
+const CompLibrary = require('../../core/CompLibrary.js');
+const Container = CompLibrary.Container;
+const GridBlock = CompLibrary.GridBlock;
+
+const siteConfig = require(process.cwd() + '/siteConfig.js');
+
+class Help extends React.Component {
+ render() {
+ const supportLinks = [
+ {
+ content:
+ 'Learn more using the [documentation on this site.](/test-site/docs/en/doc1.html)',
+ title: 'Browse Docs',
+ },
+ {
+ content: 'Ask questions about the documentation and project',
+ title: 'Join the community',
+ },
+ {
+ content: "Find out what's new with this project",
+ title: 'Stay up to date',
+ },
+ ];
+
+ return (
+
+
+
+
+
Need help?
+
+
This project is maintained by a dedicated group of people.
-
-
-_Note: until we ship [vendor verification](https://github.com/golang/dep/issues/121), we can't efficiently perform the `Gopkg.lock` <-> `vendor/` comparison, so `dep ensure` unconditionally regenerates all of `vendor/` to be safe._
-
-`dep ensure` is safe to run early and often. See the help text for more detailed
-usage instructions.
-
-```sh
-$ dep help ensure
-```
-
-### Installing dependencies
-
-(if your `vendor/` directory isn't [checked in with your code](docs/FAQ.md#should-i-commit-my-vendor-directory))
-
-
-
-```sh
-$ dep ensure
-```
-
-If a dependency already exists in your `vendor/` folder, dep will ensure it
-matches the constraints from the manifest. If the dependency is missing from
-`vendor/`, the latest version allowed by your manifest will be installed.
-
-### Adding a dependency
-
-```sh
-$ dep ensure -add github.com/foo/bar
-```
-
-This adds a version constraint to your `Gopkg.toml`, and updates `Gopkg.lock` and `vendor/`. Now, import and use the package in your code! â¨
-
-`dep ensure -add` has some subtle behavior variations depending on the project or package named, and the state of your tree. See `dep ensure -examples` for more information.
-
-### Changing dependencies
-
-If you want to:
-
-* Change the allowed `version`/`branch`/`revision`
-* Switch to using a fork
-
-for one or more dependencies, do the following:
-
-1. Manually edit your `Gopkg.toml`.
-1. Run
-
- ```sh
- $ dep ensure
- ```
-
-### Checking the status of dependencies
-
-Run `dep status` to see the current status of all your dependencies.
-
-```sh
-$ dep status
-PROJECT CONSTRAINT VERSION REVISION LATEST
-github.com/Masterminds/semver branch 2.x branch 2.x 139cc09 c2e7f6c
-github.com/Masterminds/vcs ^1.11.0 v1.11.1 3084677 3084677
-github.com/armon/go-radix * branch master 4239b77 4239b77
-```
-
-On top of that, if you have added new imports to your project or modified `Gopkg.toml` without running `dep ensure` again, `dep status` will tell you there is a mismatch between `Gopkg.lock` and the current status of the project.
-
-```sh
-$ dep status
-Lock inputs-digest mismatch due to the following packages missing from the lock:
-
-PROJECT MISSING PACKAGES
-github.com/Masterminds/goutils [github.com/Masterminds/goutils]
-
-This happens when a new import is added. Run `dep ensure` to install the missing packages.
-```
-
-As `dep status` suggests, run `dep ensure` to update your lockfile. Then run `dep status` again, and the lock mismatch should go away.
-
-### Visualizing dependencies
-
-Generate a visual representation of the dependency tree by piping the output of `dep status -dot` to [graphviz](http://www.graphviz.org/).
-#### Linux
-```
-$ sudo apt-get install graphviz
-$ dep status -dot | dot -T png | display
-```
-#### MacOS
-```
-$ brew install graphviz
-$ dep status -dot | dot -T png | open -f -a /Applications/Preview.app
-```
-#### Windows
-```
-> choco install graphviz.portable
-> dep status -dot | dot -T png -o status.png; start status.png
-```
-