Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: issuing mod edit -retract allows bad version format #43280

Closed
nomad-software opened this issue Dec 19, 2020 · 10 comments
Closed

cmd/go: issuing mod edit -retract allows bad version format #43280

nomad-software opened this issue Dec 19, 2020 · 10 comments
Labels
FrozenDueToAge help wanted modules NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Go1.16

Comments

@nomad-software
Copy link

What version of Go are you using (go version)?

v1.16 beta1

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/tmp/go-cache"
GOENV="/home/gary/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/tmp/go-mod-cache"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/media/Data/Projects/Go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go"
GOSUMDB="sum.golang.org"
GOTMPDIR="/tmp"
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.16beta1"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/media/Data/Projects/Go/src/github.com/nomad-software/vend/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build631806544=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Changed directory to my project and issued the following commands

go mod edit -retract 1.0.0
go mod edit -json

Then received the following error.

go: errors parsing go.mod:
/media/Data/Projects/Go/src/github.com/nomad-software/vend/go.mod:5: retract: version "1.0.0" invalid: must be of the form v1.2.3

What did you expect to see?

Issuing the command go mod edit -retract 1.0.0 should have warned me the version format was wrong.

What did you see instead?

version "1.0.0" invalid: must be of the form v1.2.3
@cagedmantis cagedmantis changed the title go mod edit -retract allows bad version format cmd/go: issuing mod edit -retract allows bad version format Dec 21, 2020
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 21, 2020
@cagedmantis cagedmantis added this to the Go1.16 milestone Dec 21, 2020
@cagedmantis
Copy link
Contributor

/cc @bcmills @jayconrod @matloob

@bcmills bcmills added help wanted modules NeedsFix The path to resolution is known, but the work has not been done. labels Dec 21, 2020
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Dec 21, 2020
@bcmills
Copy link
Contributor

bcmills commented Dec 21, 2020

In general go mod edit would benefit from a lot more validation than it has today (see also #32630, #28439, and others). It would be nice if we can fix this before the 1.16 release, but I don't think it's absolutely critical.

@jayconrod
Copy link
Contributor

Should go mod edit only allow canonical semantic versions for require, replace, and exclude as well? In 1.15 you can use branch or tag names for any version. The next module aware command will change those to canonical versions. That will be a lot less useful in 1.16 with -mod=readonly though, and for scripting, it's probably a better idea to resolve non-canonical versions with go list -m first.

@bcmills
Copy link
Contributor

bcmills commented Dec 21, 2020

For require, at least, go mod edit followed by go mod tidy should be a decent option for scripting — but I would not expect go mod tidy to change retract directives in any way.

So I think we should continue to accept non-canonical versions for at least require and replace, but reject them for retract.

@tzierbock
Copy link

It appears this would be a simple case of adding validation of the input versions to File.AddRetract? If that is indeed the case I can come up with a CL for that. Would the same make sense for File.AddExclude?

@bcmills
Copy link
Contributor

bcmills commented Dec 22, 2020

Yep, the AddRetract function sounds like the right place.

I'm not sure whether we should reject non-canonical versions for exclude directives. Could you check whether they are rewritten to canonical versions today?

@tzierbock
Copy link

By testing go mod edit -exclude with a similar version string it appears it causes the same behaviour, not complaining when adding the exclude statement and then producing an error on subsequent runs of go mod tidy or go mod edit -json

@bcmills
Copy link
Contributor

bcmills commented Dec 22, 2020

Thanks. Then we should probably validate in AddExclude too.

@gopherbot
Copy link

Change https://golang.org/cl/279394 mentions this issue: cmd/go: validating version format in mod edit

gopherbot pushed a commit to golang/mod that referenced this issue Jan 14, 2021
@tzierbock
cmd/go: validating version format in mod edit
6ce8bb3 
Version strings set by -retract and -exclude are not canonicalized
by go mod commands. This change adds validation to go mod edit to
prevent invalid version strings from being added to the go.mod file.

For golang/go#43280

Change-Id: I3708b7a09111a56effac1fe1165122772e3f2d75
Reviewed-on: https://go-review.googlesource.com/c/mod/+/279394
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Trust: Michael Matloob <matloob@golang.org>
@gopherbot
Copy link

Change https://golang.org/cl/283853 mentions this issue: cmd/go: in 'go mod edit', validate versions given to -retract and -exclude

@golang golang locked and limited conversation to collaborators Jan 14, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge help wanted modules NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Go1.16
Development

No branches or pull requests
7 participants
@cagedmantis @jayconrod @nomad-software @bcmills @tzierbock @gopherbot and others