The real problem with go get here is that it can't pick a version, only latest. Checking in vendor is much safer because your dependencies can't break you.
there are no good upstream suggestions on how to deal with vendor.
My preference is to use to use http://glide.sh/ and store 'glide.yaml' and 'glide.lock' in the repo, at which point the vendor folder can be recreated to the correct versions without needing to parse code or checkin vendor.
Glide is also really good at handling updates, pulling from alternate sources, tracking alternate branch names, etc etc.
there are no good upstream suggestions on how to deal with vendor.
My preference is to use to use http://glide.sh/ and store 'glide.yaml' and 'glide.lock' in the repo, at which point the vendor folder can be recreated to the correct versions without needing to parse code or checkin vendor.
Glide is also really good at handling updates, pulling from alternate sources, tracking alternate branch names, etc etc.