x/pkgsite: support retractions #43265
Comments
jba
added
NeedsInvestigation
|
Change https://golang.org/cl/295430 mentions this issue: |
When fetching a module at a version, the proxy datasource uses fetch.RawLatestInfo to get the go.mod file at the raw latest version of the module, then uses internal.RawLatestInfo.PopulateModule to determine whether the module version is deprecated or retracted. Also, add some proxy test modules to facilitate testing. For golang/go#41321 For golang/go#43265 For golang/go#44437 Change-Id: I312346d72f656e598ad170135046ef85da8e9b11 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295430 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/295891 mentions this issue: |
|
Change https://golang.org/cl/295892 mentions this issue: |
For golang/go#43265 For golang/go#41321 Change-Id: I1e8e6fe0f55d536696e1c58e81726292278fd20c Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295891 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
For golang/go#43265 For golang/go#41321 Change-Id: I5812501765ffd2a2ce57df6795ccd558884d3087 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295892 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/295896 mentions this issue: |
|
Change https://golang.org/cl/295898 mentions this issue: |
|
Change https://golang.org/cl/295897 mentions this issue: |
|
Change https://golang.org/cl/295899 mentions this issue: |
For golang/go#43265 For golang/go#41321 Change-Id: I54f81bcc6b2e4cf31aacdbd630cc0650a833ae25 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295896 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
Consolidate creation of RawLatestInfo in one function. For golang/go#43265 Change-Id: Id57d044c33a678b8ff4e57ada1a5569e09f841d0 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295897 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
The deprecation information depends only on the go.mod file, so we can compute it once in NewRawLatestInfo. For golang/go#43265 Change-Id: I1626ab39ff776450147c3e4a4b33883ab2910b2c Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295898 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
For golang/go#43265 Change-Id: I297856d635eda30d09e42a860f39e0cffc452464 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/295899 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/296209 mentions this issue: |
|
Change https://golang.org/cl/296229 mentions this issue: |
UnitMeta had most of the fields of ModuleInfo, but did not embed it. Now that we have added four more fields to ModuleInfo for deprecation and retraction, it makes sense to embed it rather than duplicate those fields. For golang/go#43265 For golang/go#41321 Change-Id: I20e2b922b49c7873a5535745d644631123de37cd Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/296209 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
For golang/go#43265 For golang/go#41321 Change-Id: I8dc86d87882b96d3c3ffe7c1d035937f210b9a91 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/296229 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/296812 mentions this issue: |
|
Change https://golang.org/cl/296815 mentions this issue: |
For golang/go#43265 For golang/go#41321 Change-Id: I7bf803b68b1532b968ad1175433275f5a4778078 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/296812 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
When a module is deprecated or retracted, add a banner to the main page. Test with an integration test to verify that the deprecation/retraction information makes it through the entire pipeline. For golang/go#43265 For golang/go#41321 Change-Id: I0ffd1a9d1617e2865a10f0b0a8a8a3af6ed4d420 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/296815 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/297509 mentions this issue: |
For golang/go#43265 Change-Id: Iac39814ce532adf5846bb768802a46ad7a77fa84 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/309609 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Change https://golang.org/cl/309610 mentions this issue: |
|
Change https://golang.org/cl/309709 mentions this issue: |
|
Change https://golang.org/cl/309710 mentions this issue: |
The deprecated_column in the modules table has been superseded by the information in the latest_module_versions table. For golang/go#43265 Change-Id: Ib53e0b295a3edf8e807ff825b36baa6701b927b1 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/309610 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
For golang/go#43265 Change-Id: I1d056a893fdff60744ff328ab9f4a1b6665b3e32 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/309709 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
For golang/go#43265 Change-Id: I5885853463ed52915a7956e66bdfae9498ce90df Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/309710 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> TryBot-Result: kokoro <noreply+kokoro@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
Retraction support is live. |
|
Apparently it doesn't see the retractions in https://pkg.go.dev/golang.zx2c4.com/wireguard . The v0.0.20201119 version should retract all others and itself: https://git.zx2c4.com/wireguard-go/tree/go.mod?h=v0.0.20201119 |
|
There's something odd going on. Did you perhaps change a tag? According to the Go tools, the latest version of your module is indeed v0.0.20201119. But the proxy won't download that version, and here's what happens when I try to get it directly: The best approach would be to tag a new, later version that has a go.mod with all the desired retractions. |
|
You're right. I had changed a tag, after I realized that proxy.golang.org won't cache things without at least a single .go file beyond a few days. So that explains that. Current status is that retractions don't seem to be propagating:
All of those should actually be retracted, per the go.mod file:
|
|
It looks like it's still very goofed up:
It thinks that the most recent commit is https://git.zx2c4.com/wireguard-go/commit/?id=6a128dd which is some random old commit from January, rather than the most recent commit, which is today. |
|
Sorry for the delay getting back to you. Your module is an interesting case. You've retracted all the tagged versions, leaving only pseudo-versions. And some of those pseudo-versions, having been landed on top of tagged versions, are technically "later" than the more recent ones you've published. Can I suggest tagging the version you want to be latest with a new, higher tag? Tagged versions are definitely the way to go. |
I'm following precisely the suggestion given by the Go team earlier for retracting all versions. Things work perfectly with
The project is not yet ready to release a stable version. Therefore no tags are possible at the moment. Rather, the logic in pkgsite is clearly borked, as |
|
Agreed, pkgsite has a bug. We'll work on fixing it. However, tags don't imply stability. You can tag with a major version of zero. |
|
Actually, I'm not sure that the bug is in pkgsite. Or at least, I don't quite know what the bug is. To go over the logic again: Since all the tagged versions are retracted, only the pseudo-versions matter. Note that the The difference between the Pkgsite has the full history so it "correctly" serves the highest version. @jayconrod @julieqiu What's the right fix here? Maybe pkgsite should ignore pseudo-versions derived from retracted versions? |
|
We just report whatever As I think we've discussed elsewhere, AFAIK the only way to know for sure what the "latest" version is is to ask the |
That is correct. Ideally, when you retract an erroneous release version you should also retract the range of pseudo-versions derived from that release, although in some sense those pseudo-versions were never “released” to begin with. |
|
Change https://golang.org/cl/318069 mentions this issue: |
The good latest version of a module should never be later than the cooked latest version. If it is, then pkgsite will show a different version than the go command will download. One way this can happen is if a module retracts all tagged versions, and pseudo-versions were built on top of some of them. For example, initially it could have versions v0.1.0 v0.1.0-DATE-HASH (a pseudo-version) Then v0.1.0 is retracted and a new pseudo-version appears at head: v0.1.0 (retracted) v0.1.0-DATE-HASH v0.0.0-DATE-HASH (head of default branch) The go command will get the v0.0.0 version, but technically the v0.1.0 is later. For golang/go#43265 Change-Id: I8ff30de4eb2dcdf108205de99af93d2f31772cff Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/318069 Trust: Jonathan Amsterdam <jba@google.com> Run-TryBot: Jonathan Amsterdam <jba@google.com> Reviewed-by: Julie Qiu <julie@golang.org>
|
This should be fixed. https://pkg.go.dev/golang.zx2c4.com/wireguard shows a version published on May 13, a few days ago. Reopen if there are still problems. |
|
Excellent, thank you for fixing this! |
Beginning with Go 1.16, module authors will be able to retract versions of their modules. The
gocommand will ignore retracted versions by default.pkg.go.dev should expose that a version is retracted.
UI Ideas
The page for a retracted version should show that it is retracted, and display the rationale if any.
In the list of module versions, retracted versions should either be displayed at the bottom, or indicated in some other way (such as a red strikethrough). They shouldn't be hidden, because someone might be using a retracted version and want to visit its page.
We could show which imported packages are retracted, but that depends on having precise version information about imports (that is, the build list), which we don't currently have.
Implementation
The proposal for retraction is at #24031 (comment). In brief: retraction is done by adding
retractdirectives in go.mod files. Each directive lists a range of versions and a rationale. Only the latest go.mod file, as defined by the go command's@latestquery, is authoritative.The modules table should have a column that contains the information in the
retractdirectives, perhaps as JSON. The worker parses the go.mod file and populates the column during processing.The frontend reads the retractions from the latest version of a module and applies them to the module in the request.
This involves an extra DB query sometimes, but only when viewing a version that is not the latest, which is uncommon.
One wrinkle: the latest version can retract itself. In that case, finding the true latest version (the one that deserves the "LATEST" badge) requires another pass over the list of unretracted versions.
In an alternative design, there is a column
modules.retractedwhich gives the state for each version, and the worker populates that for all versions when it is processing the latest one. This involves some subtleties:retractdirective before it has processed it. Where should it store that information?The advantages are fewer queries at serving time in some cases, and the ability to query easily for the latest unretracted version.
The text was updated successfully, but these errors were encountered: