A busy week revolving around the very good DevOpsDays London 👏🏼

• Spoke at the Go lightning talks at work about dependency-management-data, as a practice run for DevOpsDays London
  • Got some good interest, even finding some use cases in the past that it would've been very useful for flagging a few internal apps affected by the same bug
  • Set up the repo's infrastructure, and will see about getting it set up to be regularly updating
• Made some big updates to my /elsewhere/ page, which I'm quite happy with, and were well timed before the conference
• With DevOpsDays now out of the way, I need to start prepping for DDD East Midlands in two weeks - this time with a new talk I've never done 😱
• Made my first contribution to GitLab, through the glab CLI
• Had a couple of "decadent" lunches on the sofa while Cookie was at daycare, and then at Anna's parents, which was nice and meant we got to get through more of Only Murders in the Building
• Was a great couple of days at DevOpsDays London
  • Had a nice time at the speaker dinner, got a chance to meet some of the other speakers and have some social time before the event started, especially as we didn't know as many folks going this year
  • Had some nice chats with various folks at the conference, including a couple of (ex-)Nottingham folks!
  • I've made a good start with my writeup, but it probably won't be ready till next week
  • My dependency-management-data talk went well, I felt like I rushed a couple of slides, but it seemed to come across well and my preview of the recording shows that it came across pretty well
  • Didn't make it to the afterparty on Thursday as the rain was awful on top of being tired, so caught up on Ahsoka
  • Some good talks and conversations across the couple of days
  • Got a very nice meowy welcome from Morph, who was very happy to see us and enjoyed having some cuddles with us
  • Had some nice tacos at Casa Pastor with Carol before we headed home on Friday
• Cookie had a good few days at Anna's parents, but jumped into the canal and had to be rescued by Anna's dad 😅
• She's been sleepy since she's gotten back, after a short walk around Woodthorpe, and then this morning we had a nice walk around Papplewick forest
• Was a bit worried when we got back and I'd received an invoice from Dell for a monitor and turns out it was a very late invoice from August 😅
• Finally uninstalled the reddit is fun app, as it's taking up space and making me sad!
• I've dusted off my Oodie, as it's rather chilly right now 🥶

In dependency-management-data world a big week of updates as well as my talk:

• Had a good journey down to London, managing to add support for end-of-life checking to SBOMs for dependency-management-data in its entirety 👏
• Add support for filtering reports by platform/org/repo/owner
• Broke the build with the v0.42.0 release 😅 and learned some fun stuff about replaces
• Added deps.dev license + CVE lookups for SBOMs
• Added CVE information to Advisories reports
• Added a report for discovered licenses
• Added the ability to pick up on missing package data - for instance ecosystems that don't include the full dependency tree
• Got some very good feedback from my talk, with someone interested in contributing, a couple of engineers from a company, another interested in playing with it and I missed someone who came to the Elastic stand looking to chat to me about it

Watched:

• Ahsoka
• Schitt's Creek
• Only Murders in the Building
  • Called part of the season 2 big reveal
  • We're unfortunately caught up now, with two episodes to go, and not enjoying having to wait 😅

This morning I cut a release of dependency-management-data which ended up horribly breaking all consumers of the application.

As I flagged in the tracking issue for this, trying to install the CLI would lead to the following error:

$ go install dmd.tanna.dev/cmd/dmd@latest
go: dmd.tanna.dev/cmd/dmd@latest (in dmd.tanna.dev@v0.42.0):
The go.mod file for the module providing named packages contains one or
more replace directives. It must not contain directives that would cause
it to be interpreted differently than if it were the main module.

This was because as part of this release, I added support for using charmbracelet/log as a log/slog handler, which isn't yet fully merged upstream so I ended up pointing to my fork of the repo based on this PR.

As mentioned in Pointing to a fork of a Go module this should be trivial to do when you're using a replace directive in your go.mod, and was working in dependency-management-data's build pipeline, up until the point that someone tried to install from it.

I've never had this issue before - despite using replace statements in some projects, and through looking at this Go issue it appears that this is only the case when you have an installable Go module, not when you're building it from the directory that contains the go.mod.

For instance, I have created a sample project on GitLab.com, where we have two modules:

The with-replace module's go.mod:

module gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/with-replace
go 1.21.1
require github.com/charmbracelet/log v0.2.4
// indirects omitted for brevity
replace github.com/charmbracelet/log => github.com/jamietanna/log v0.2.2-0.20230912205513-bfd7186f150d

The without-replace module's go.mod:

module gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/without-replace
go 1.21.1
require github.com/jamietanna/log v0.2.2-0.20230920083807-7382cd7fbdd8
// indirects omitted for brevity

When we try and go install the module that uses replaces, we encounter the same error:

% go install gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/with-replace@HEAD
go: downloading gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha v0.0.0-20230920133000-0be73c155bc2
go: downloading gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/with-replace v0.0.0-20230920133000-0be73c155bc2
go: gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/with-replace@HEAD (in gitlab.com/tanna.dev/jvt.me-examples/go-mod-fork-gotcha/with-replace@v0.0.0-20230920133000-0be73c155bc2):
The go.mod file for the module providing named packages contains one or
more replace directives. It must not contain directives that would cause
it to be interpreted differently than if it were the main module.

But when there's not a replace, and we're pinning to a fork, this works as-is.

Also note that the two projects are pinning to a slightly different set of commits - without-replace requires we pin to this specific commit, which modifies the module declaration:

-module github.com/charmbracelet/log
+module github.com/jamietanna/log

go 1.21

Without this, we would receive the error:

go: github.com/jamietanna/log@bfd7186f150d (v0.2.2-0.20230912205513-bfd7186f150d) requires github.com/jamietanna/log@v0.2.2-0.20230912205513-bfd7186f150d: parsing go.mod:
module declares its path as: github.com/charmbracelet/log
but was required as: github.com/jamietanna/log

And as we can't specify the replace semantics, we must update the module directive in our go.mod, if we want the module to be installable without someone cloning the repository and running go install from there.

• Found that the painful feeling in my toe since Saturday was an infected ingrown toe, but luckily some rest for it and antibiotics have helped
• Cookie was a bit poorly on Monday so we took her to the vets, during which she did not appreciate temperature taken 😬 but anti-sickness meds helped, even though she enjoyed hiding under the bed and feeling sorry for herself 🥺
• Lost my nice pair of sandals to Cookie chewing on the clips 😅
• Been listening to Prada - cassö, RAYE, D-Block Europe on repeat a lot, and rediscovered Dawn Aura - il:lo Remix
• Enjoyed my second Elastic Shut It Down Day and can definitely get used to having shorter weeks 🥱
  • Did some Open Source, gaming, had a great massage and then picked up some new jeans and shorts
• Went out for lunch on Saturday which was nice, trying Kokoro - which I'd walked past on the way to M&S the day before and was intrigued - and had some nice sushi and sweet chili chicken
  • Cookie was good when I got back, and welcomed me with her flamingo, including a "roo roo roo" 🥺
• Had a really nice day coworking with Carol in town on Wednesday
  • Went to Cartwheel for breakfast, EastWest for a coffee, laptop charge and chill in the booths, Blend for lunch and then listening in to some meetings at Carol's
  • Was a little different compared to last time, as I was at least working this time 😹
  • Nice to chat, work and chill
• Been working on some good work this week at work, and prepping for a talk about dependency-management-data at tomorrow's Go lightning talks
• (Actually) finalised my slides for DevOpsDays London this coming week
• In dependency-management-data world:
  • Been working through Keith's GraphQL MRs, working to break down some of the changes into some prep MRs with the SQL changes on their own, which has had mixed success as there are some rather chonky queries and I've been trying to make it work with sqlc
  • Did some upgrades for sqlc - including working with upstream to fix some issues
  • Done some other tweaks, and have been prepping for adding End-of-Life Advisories for SBOMs
• In oapi-codegen:
  • Shipped a new version of oapi-codegen to work with Go 1.21, without requiring changes in folks' go.mods
  • Migrated our middleware to separate repos, as a way to simplify tweaks to them outside of the main code generation, and to reduce dependencies where possible
    • Unfortunately did lead to shipping a bad release for one of the middlewares because I was trying hard to get it all complete before the end of the evening, but shouldn't have rushed that last one!
  • Spent some time playing with adding log/slog support to github.com/charmbracelet/log - which was a worthwhile endeavour learning how it works under the hood - before finding that it's already been mostly implemented, as is tradition 😹 so I just needed to make a couple of small tweaks to allow it to work with Go 1.21
• Had a very dangerous trip to Lidl - as I was hungry - and bought rather a few items from the bakery 😋
  • But also super disappointed when I bought a packet of what I thought were chocolate crepes, but they were not, they were just strawberry 😞
• Had a nice couple of walks today - a long one around the River Trent in Burton Joyce, which was really nice - and then later joined Carol and Juno in a field for a bit of a chilled run around
  • On the plus side, Cookie's been so sleepy this evening 🥰
• While I'm writing these Cookie is dream barking away 🥺
• Cookie's been fairly annoying in the evenings this week, barking a fair bit, but not really indicating why 🫠
• Had Morph in the living room for a little bit of one of our evenings which was nice, after some nice barking from Cookie

Watched:

• Parks and Recreation
  • Finished our rewatch, and the nice ending 🥰
  • Was a bit disappointed that the "reunion special" was just a COVID Zoom thing, we thought it was something else
• Cinema Sins (on YouTube)
• Ahsoka
• Schitt's Creek
• Miss Congeniality
• Only Murders in the Building
• Bring It On
• Loki
  • Finally watching the last two episodes which have been hanging over me on my mental to-do list of "we haven't finished watching this programme" since week 09 in March 😅