[DO NOT MERGE, need fix verification] manifest: skip ProjectRoot validation for alt source

[darkowlzz]

What does this do / why do we need it?

Alternate source could be used to bypass network reachability issues and
when that is the case, PR validation fails because gps tries to reach
the project over network and the project isn't reachable.

This change skips PR validation for projects with alternate source only.

What should your reviewer look out for in this PR?

Implementation. Any possible side-effect?

Do you need help or clarification on anything?

Any way to do any better for validation other than skipping?

Which issue(s) does this PR fix?

fixes #1322

[sdboyer]

So i'm kinda confused about why this PR helps people with their problems. There are a number of places where the same DeduceProjectRoot() call is made - the one that people say is causing them such pain. It's not obvious to me why removing just this call to it would have any effect.

[godcong]

when skip validate in ProjectRoot
next step validateParams will dead on the same

[godcong]

Any progress?
Assumptions golang.org does not exist

a toml file like this will failed
[[constraint]]
name = "golang.org/x/text"
branch = "master"
source = "github.com/golang/text"
in GFW the golang.org does not exist...

the deduce will visit the golang.org first...
any action visit the golang.org will be failed...

@sdboyer @darkowlzz

[darkowlzz]

I've updated this PR with changes to project root deduction that would make dep trust the name as a proper project root and would not try to deduce project root for validation, as mentioned in #860 (comment) . I think we better show some kind of warnings when we have an alternate source, and tell the user to make sure the name is actually project root because dep would not validate it. That can be done once we have a proper solution to the problem.

@godcong can you build this PR and check if it solves all the issues?

[godcong]

i build it based on 1dc2d8b
then tested it.

this commit for something is ok!
like when i use golang.org/x/text

but when i import some subproject from golang.org it will failed.
like this
test.go:
import "golang.org/x/crypto/bcrypt"

gopkg.toml:
[[constraint]]
name = "golang.org/x/crypto"
branch = "master"
source = "github.com/golang/crypto"

[prune]
go-tests = true
unused-packages = true

i logged out the call stack:

---

2018/02/13 23:25:40 golang.org/x/crypto/bcrypt
2018/02/13 23:25:40 8391964 D:/workspace/goproject/src/github.com/golang/dep/project.go 230 true
2018/02/13 23:26:22 golang.org/x/crypto/bcrypt
2018/02/13 23:26:22 8166752 D:/workspace/goproject/src/github.com/golang/dep/gps/solver.go 426 true
The following errors occurred while deducing packages:

• "golang.org/x/crypto/bcrypt": unable to deduce repository and source type for "golang.org/x/crypto/bcrypt": unable to read metadata: unable to fetch raw metadata: failed HTTP request to URL "http://golang.org/x/crypto/bcrypt?go-get=1": Get http://golang.org/x/crypto/bcrypt?go-get=1: dial tcp 216.239.37.1:80: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

validateParams: could not deduce external imports' project roots

---

the source is
golang.org/x/crypto
and the import is
golang.org/x/crypto/bcrypt

so it cannot be skipped

@darkowlzz

[godcong]

i tried some like this

test.go:
import "golang.org/x/crypto/bcrypt"

gopkg.toml:
[[constraint]]
name = "golang.org/x/crypto/bcrypt"
branch = "master"
source = "github.com/golang/crypto"
the failed log:
2018/02/13 23:52:22 p golang.org/x/crypto/bcrypt {github.com/golang/crypto master}
Warning: the following project(s) have [[constraint]] stanzas in Gopkg.toml:

✗ golang.org/x/crypto/bcrypt

However, these projects are not direct dependencies of the current project:
they are not imported in any .go files, nor are they in the 'required' list in
Gopkg.toml. Dep only applies [[constraint]] rules to direct dependencies, so
these rules will have no effect.

Either import/require packages from these projects so that they become direct
dependencies, or convert each [[constraint]] to an [[override]] to enforce rules
on these projects, if they happen to be transitive dependencies.

2018/02/13 23:52:22 v golang.org/x/crypto/bcrypt {github.com/golang/crypto master}
Root project is "github.com/godcong/test"
1 transitively valid internal packages
1 external packages imported from 1 projects
(0) ✓ select (root)
(1) ? attempt golang.org/x/crypto/bcrypt (from github.com/golang/crypto) with 1 pkgs; 1 versions to try
(1) try golang.org/x/crypto/bcrypt (from github.com/golang/crypto)@master
(2) ✗ golang.org/x/crypto/bcrypt at master has problem subpkg(s):
(2) golang.org/x/crypto/bcrypt has err (*build.NoGoError); required by (root).
(1) ← no more versions of golang.org/x/crypto/bcrypt (from github.com/golang/crypto) to try; begin backtrack
✗ solving failed

Solver wall times by segment:
b-list-pkgs: 7.142713s
b-source-exists: 3.7440602s
select-root: 0s
new-atom: 0s
b-list-versions: 0s
satisfy: 0s
other: 0s

TOTAL: 10.8867732s

Solving failure: No versions of golang.org/x/crypto/bcrypt met constraints:
master: Could not introduce golang.org/x/crypto/bcrypt (from github.com/golang/crypto)@master, as its subpackage golang.org/x/crypto/bcrypt does not contain usable Go code (*build.NoGoError).. (Package is required by (root).)

[godcong]

some suggest for this problem
i think dep init need a function to only create gopkg.lock and gopkg.toml

[helphi]

@darkowlzz We need this PR very hard, because of the ProjectRoot validation, almost all the developers in China can't download dependencies with dep ...

[darkowlzz]

@helphi sorry but this PR was just an experiment to understand how the failures are happening. Please use HTTP proxy as a workaround for GFW issue. Refer https://stackoverflow.com/questions/10383299/how-do-i-configure-go-to-use-a-proxy for an example of using HTTP proxy.

[helphi]

@darkowlzz you know, if we have a proxy witch can through GFW, can we be annoyed with this issue?
I think this is a bug and need fix, because the purpose of source is to get the package whose repository has been removed or broken or unreachable, but now it can't be able to do what it should do. And in the old release it's working correctly.

[godcong]

if you have a proxy, run
set http_proxy=127.0.0.1:1235
set https_proxy=127.0.0.1:1235
before use dep
127.0.0.1:1235 is my proxy address
then dep can visit golang.org to through validate

[helphi]

@godcong for example, there is a package named x.x.x/no/no, even if you have a proxy, you can't get the package, because the package not exists on the internet. But if dep can translate x.x.x/no/no to github.com/no/no, we can get any broken package from an alternative address. dep can do this before, but now there is a bug, because when dep do this, it will check if the address x.x.x/no/no is reachable, if not, fail...

[warm3snow]

Haven't this problem solved? It is so annoying.

[helphi]

It is not necessary anymore, we can use the new go mod.

[mvdan]

Dep was officially deprecated earlier this year, and the proposal to archive this repository was accepted. As such, I'm closing outstanding issues before archiving the repository. For any further comments, please use the proposal thread on the Go issue tracker. Thanks!