Max and I have been discussing using the upcoming lockfiles proposal as a way to support this, rather than supporting it directly in the Package.swift.

Comment by Ramon Nogueira (JIRA)

It doesn't seem appropriate to put this in lock files. Lock files are generated by a tool when updating dependencies, while this would be a per-project configuration that would be hand-written.

In the code above, I don't see how this could be used to support vendoring. My understanding is that vendoring (usually) means that the sources for a given dependency are checked in to your repository (or are submodules). In this case, there is no version, we just need to point spm directly at the checked-out copy. It seems to me that what we really want is to replace wholesale the mapping

func findDependency(package: Package) throws -> File

Comment by Jay Buffington (JIRA)

I recently discovered this git config option that may be relevant here:

url.<base>.insteadOf
Any URL that starts with this value will be rewritten to start, instead, with <base>. In cases where some site serves a large number of repositories, and serves them with multiple access methods, and some users need to use different access methods, this feature allows people to specify any of the equivalent URLs and have Git automatically rewrite the URL to the best alternative for the particular user, even for a never-before-seen repository on the site. When more than one insteadOf strings match a given URL, the longest match is used.

@aciidb0mb3r/ @neonichu isn't this done with the mirroring support?

Comment by Mustafa YALCIN (JIRA)

3