Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/pkgsite: package removal request for go.mongodb.org/mongo-driver/mongo @ 1.6.0, 1.6.1, 1.7.0 and 1.7.1 #48666

Closed
benjirewis opened this issue Sep 28, 2021 · 2 comments
Labels
FrozenDueToAge pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package pkgsite

Comments

@benjirewis
Copy link

What is the path of the package that you would like to have removed?

We would like to remove go.mongodb.org/mongo-driver/mongo@v1.6.0, go.mongodb.org/mongo-driver/mongo@v1.6.1, go.mongodb.org/mongo-driver/mongo@v1.7.0, and go.mongodb.org/mongo-driver/mongo@v1.7.1. These are four versions of the MongoDB Go driver that are affected by a security bug.

Are you the owner of this package?

Yes, one of the couple co-owners.

What is the reason that you could not retract this package instead?

We would use a retract directive, but the MongoDB Go driver has to build on Golang version 1.10, which is lower than Golang 1.16. retract directives can only be used in the main module without error on Golang 1.16+, so our only option is to remove the affected versions manually.

@gopherbot gopherbot added this to the Unreleased milestone Sep 28, 2021
@benjirewis benjirewis changed the title x/pkgsite: package removal request for [type path here] x/pkgsite: package removal request for go.mongodb.org/mongo-driver/mongo @ 1.6.0, 1.6.1, 1.7.0 and 1.7.1 Sep 28, 2021
@jamalc
Copy link

jamalc commented Oct 4, 2021

We only support removing all versions of a package or module by path. If we manually removed these versions from pkg.go.dev a user can still download them via go get and re-add them pkg.go.dev by looking them up on the site.

@jamalc jamalc modified the milestones: Unreleased, pkgsite/unplanned Oct 4, 2021
@benjirewis
Copy link
Author

Got it; thank you for the update @jamalc.

@hyangah hyangah added the pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package label May 20, 2022
@golang golang locked and limited conversation to collaborators May 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge pkgsite/package-removal Issues for package removal. See https://pkg.go.dev/about#removing-a-package pkgsite
Projects
None yet
Development

No branches or pull requests

5 participants