-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop bumping go directive unless necessitated by other dependencies #2664
Comments
/cc @mtrmac |
* update golangci-lint to v1.62.x Signed-off-by: cpanato <ctadeu@gmail.com> * update go to min go1.23.4 Signed-off-by: cpanato <ctadeu@gmail.com> --------- Signed-off-by: cpanato <ctadeu@gmail.com>
Thanks for reaching out.
That PR did need to bump the
That’s true as of
This is an intentional property of the Go module / versioning system, and, for better or worse, no individual repo can stop that from happening. It would take a coordinated action from way too many actors in the ecosystem to give users back the desired control. I think the best bet would be to convince Go upstream to change the design, and the chances seem low to me. Failing that, I think users need to be ready to accept the need to update to a new Go 1.X.Y version on short notice. (We do try hard to delay updates to 1.X versions, because those tend to require more migration. But that’s still a trade-off, WRT making it possible to fix vulnerabilities in dependencies quickly.)
When dependencies of c/image update the In this particular case as of this moment, we might be able to go back to 1.22.6 (I would accept a PR for that but I’m not going to file one myself) — but, I think that longer-term this is mostly futile and, sadly, users of Go-written software ultimately need to be ready to update the toolchain. |
Yes the tooling will enforce the minimum for other deps of c/image. Except - some repos do actually bump go directive for forcing GitHub actions setup-go to select version based on go.mod. the proper thing to use there is toolchain directive not go directive. Just adding cautionary tales. There are enough coordinated effort out there that without changes to golang a significant number of projects can ward off minimum patch version of golang. |
This PR https://github.com/containers/image/pull/2601/files for example did not need to bump go directive.
The minimum go required for that PR dependency bump is
A more acceptable minimum is one that is unfortunate but required by other modules.
This repo by itself should not be enforcing minimum on other repositories importing it. Stop spreading "minimum virus"
toolchain version used will be defined outside of go.mod ideally, such as by installing a newer compatible go toolchain to ci/cd/development env.
Failing that, toolchain directive should be used instead of go directive for bumping versions to not cascade minimum versions to importing dependencies.
High profile repos that have removed/reduced minimum go patch version per user requests
Being proactive to prevent following from reoccuring
The text was updated successfully, but these errors were encountered: