Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: don't store retracted versions #47461

Closed
jba opened this issue Jul 29, 2021 · 7 comments
Closed

x/pkgsite: don't store retracted versions #47461

jba opened this issue Jul 29, 2021 · 7 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. pkgsite

Comments

@jba
Copy link
Contributor

jba commented Jul 29, 2021

Pkgsite will never display a retracted version as the latest version of a module. But it will process a retracted version, and it won't remove a version if it is later retracted. The page for a retracted version can be visited by providing the version number, and the version may appear in search if it was later retracted.

pkgsite should not process retracted versions, and should remove a version when it discovers it is retracted.

@jba jba added NeedsFix The path to resolution is known, but the work has not been done. pkgsite labels Jul 29, 2021
@jba jba added this to the pkgsite/unplanned milestone Jul 29, 2021
@jba jba self-assigned this Jul 29, 2021
@gopherbot
Copy link

Change https://golang.org/cl/338330 mentions this issue: internal/worker: don't process retracted modules

@bcmills
Copy link
Contributor

bcmills commented Aug 3, 2021

pkgsite should not process retracted versions, and should remove a version when it discovers it is retracted.

Will it still at least show a landing page indicating that the requested version is retracted?

Retracted versions can still be cached and fetched from a proxy, and users can continue to build existing modules against them — I feel like we ought to at least leave some kind of breadcrumb to acknowledge that pkgsite knows about the existence of the thing they're asking for, even if it doesn't give any further details about the retracted contents.

@jba
Copy link
Contributor Author

jba commented Aug 4, 2021

Can the page simply say "This version is retracted" and link to the latest version?

@bcmills
Copy link
Contributor

bcmills commented Aug 4, 2021

That seems fine to me. That said, thinking about this some more: users can continue to use retracted versions, so maybe it's worth indexing them if they are requested explicitly.

For example: suppose that module example.com/m v0.2.3 is retracted because of a CVE in package example.com/m/vulnerable, which was only found and fixed much later (say, v0.6.0). If there are breaking changes in between v0.2.3 and v0.6.0, then as an existing user of v0.2.3 I might really want to see the docs for v0.2.3 to figure out what the existing code is doing, so that I can figure out how to migrate past those breaking changes — especially if my code doesn't even import package vulnerable in the first place.

@jba
Copy link
Contributor Author

jba commented Aug 6, 2021

Good point, Bryan. We will keep processing retracted versions. (But we'll continue omitting them from search results.)

@jba jba closed this as completed Aug 6, 2021
@bcmills
Copy link
Contributor

bcmills commented Aug 6, 2021

(But we'll continue omitting them from search results.)

Is that behavior live? https://beta.pkg.go.dev/search?q=rerpc shows github.com/akshayjshah/rerpc as the second hit, but all known versions of that module are retracted (https://beta.pkg.go.dev/github.com/akshayjshah/rerpc?tab=versions).

@jba
Copy link
Contributor Author

jba commented Aug 7, 2021

Thanks for catching. That's an un-done TODO in the code. Tracked at #47590.

@rsc rsc unassigned jba Jun 23, 2022
@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. pkgsite
Projects
None yet
Development

No branches or pull requests

3 participants