Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: suspicious use of modload.Selected in modload.checkRetractions #42601

Closed
bcmills opened this issue Nov 13, 2020 · 2 comments
Closed

cmd/go: suspicious use of modload.Selected in modload.checkRetractions #42601

bcmills opened this issue Nov 13, 2020 · 2 comments
Labels
FrozenDueToAge modules NeedsFix The path to resolution is known, but the work has not been done. okay-after-beta1 Used by release team to mark a release-blocker issue as okay to resolve either before or after beta1 release-blocker
Milestone
Go1.16

Comments

@bcmills
Copy link
Contributor

bcmills commented Nov 13, 2020

(Noticed while refactoring for #36460.)

modload.checkRetractions is supposed to consult the go.mod file from the latest (possibly self-retracted) version of the associated module. However, we're currently invoking Query with Selected(path).

If the selected version is a +incompatible version higher than the compatible latest version, that query will return the highest +incompatible version. Otherwise, its result depends on whether the latest compatible version includes a go.mod file.

Since retractions are themselves published in the go.mod file, we should instead prefer that compatible version if it exists — especially because that go.mod file may explicitly retract the previously-published +incompatible versions.

(Marking as release-blocker for 1.16 because retractions are new as of this release.)

go/src/cmd/go/internal/modload/modfile.go

Lines 115 to 119 in f24ff38

// Find the latest version of the module.
// Ignore exclusions from the main module's go.mod.
// We may need to account for the current version: for example,
// v2.0.0+incompatible is not "latest" if v1.0.0 is current.
rev, err := Query(ctx, path, "latest", Selected(path), nil)

@bcmills bcmills added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. release-blocker modules labels Nov 13, 2020
@bcmills bcmills added this to the Go1.16 milestone Nov 13, 2020
@bcmills bcmills added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 13, 2020
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 13, 2020
@gopherbot
Copy link

Change https://golang.org/cl/271057 mentions this issue: cmd/go/internal/modload: ignore selected version in checkRetractions

@bcmills bcmills added the okay-after-beta1 Used by release team to mark a release-blocker issue as okay to resolve either before or after beta1 label Nov 19, 2020
@gopherbot
Copy link

Change https://golang.org/cl/272006 mentions this issue: cmd/go/internal/modload: ignore selected version in checkRetractions

@golang golang locked and limited conversation to collaborators Nov 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge modules NeedsFix The path to resolution is known, but the work has not been done. okay-after-beta1 Used by release team to mark a release-blocker issue as okay to resolve either before or after beta1 release-blocker
Projects
None yet
Milestone
Go1.16
Development

No branches or pull requests
3 participants
@jayconrod @bcmills @gopherbot