cmd/go: make go.mod exclude directives deterministic #36465
Comments
|
I think (2) is important. As an alternative to (1), we could instead ignore the excluded requirement entirely. (If we know that the main module already has a dependency on a higher version anyway, then replacing the lower version with the higher one has the same effect as dropping the lower one entirely.) That would drop the excluded edges from |
bcmills
added
the
NeedsFix
bcmills
changed the title
|
Yes, we should always write down a choice if we decide we have to make a choice. |
|
I'm guessing that nothing happened for 1.15, so rolling forward to 1.16. |
|
I'm deep in the guts of the module loader for #36460 anyway, so I'm going to implement the behavior described in #36465 (comment). We will ignore requirements on excluded versions whenever they are encountered, with the result that we will either downgrade to the highest non-excluded version found in the requirement graph or re-resolve the That approach is deterministic: if we do not need to re-resolve, it always yields the same subgraph of the original requirement graph, and if we do need to re-resolve we will record the resulting version as a new requirement (even if it is lower than the excluded version). It also has the nice benefit of enabling users to |
|
Spot-checking some known open-source
The planned change (to simply ignore all references to the excluded version) will continue to work for both of those categories. |
|
Change https://golang.org/cl/244773 mentions this issue: |
|
Change https://golang.org/cl/278596 mentions this issue: |
For #36460 Updates #36465 Change-Id: Id818dce21d39a48cf5fc9c015b30497dce9cd1ef Reviewed-on: https://go-review.googlesource.com/c/go/+/278596 Trust: Bryan C. Mills <bcmills@google.com> Run-TryBot: Bryan C. Mills <bcmills@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Jay Conrod <jayconrod@google.com> Reviewed-by: Michael Matloob <matloob@golang.org>
|
Change https://golang.org/cl/287414 mentions this issue: |
For golang/go#36465 Change-Id: I2ee22295c9c542697f211ce517866560e33ef480 Reviewed-on: https://go-review.googlesource.com/c/website/+/287414 Trust: Jay Conrod <jayconrod@google.com> Reviewed-by: Bryan C. Mills <bcmills@google.com>
Background
excludedirectives ingo.modfiles prevent thegocommand from loading specific module versions. When an excluded version would normally be loaded, thegocommand instead loads the next higher semantic version that is not excluded. Both release and pre-release versions may be considered the next higher version, but not pseudo-versions. If there is no higher version, thegocommand fails with an error.Problem
The "next" higher version depends on the list of available versions and may change over time. When the
gocommand encounters an excluded version, it always requests a list of versions from a proxy or the origin repository. Unlike other requests, version lists aren't cached, since versions may be added and removed over time. As a result, these fetches are expensive, and they may not work at all if the user is offline or hasGOPROXY=offset.This behavior also makes the build non-deterministic. Since the "next" version may change, the build list may vary depending on when the build was run and which proxy was used. A malicious proxy may selectively show and hide versions, but if the checksum database is being used, a proxy can't introduce a version that wasn't created by the module author without being detected.
If an excluded version is required in the main module's
go.modfile, thegocommand will update the requirement with the version chosen by MVS (typically the "next" version, but possibly something higher). However, excluded versions may still be required transitively, so they may still be loaded. Consider the example below:Suppose that
example.com/b@v1.0.0has thisgo.modfile:In this example,
example.com/mstill transtively references the excluded versionexample.com/a@v1.0.0viaexample.com/b@v1.0.0.This appears to be the root cause of #36453.
Proposed solution
go.mod, thegocommand should use the required version instead of fetching the next version.gocommand looks up the next version for an excluded module version (because (1) does not apply), it should add a requirement on that version to the main module'sgo.modfile if one is not already present.Together, these changes prevent the
gocommand from fetching versions more than once after anexcludedirective is added to thego.modfile. The behavior in (2) causes thegocommand to record the next version. The behavior in (1) ensures thegocommand acts determinisitically after this information is recorded.In the above example, the
gocommand would act as ifexample.com/brequiredexample.com/a@v1.1.0instead ofexample.com/a@v1.0.0. The requirement onexample.com/a@v1.1.0would be added to the main module'sgo.modfile if it weren't already present.Impact
excludedirectives are lightly used in publically visible modules. @heschik did an analysis a few weeks ago and found ~1000 module versions usingexclude. Many of these were versions of the same modules or forks. We found ~50 distinct modules usingexcludeat any version.excludedirectives are likely more common in top-level modules (as opposed to open source libraries).cc @rsc @bcmills @matloob @heschik @FiloSottile
The text was updated successfully, but these errors were encountered: