cmd/go: unnecessarily multiple possible pseudo versions for one commit

[hajimehoshi]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11rc2 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/hajimehoshi/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/hajimehoshi/go"
GOPROXY=""
GORACE=""
GOROOT="/Users/hajimehoshi/sdk/go1.11rc2"
GOTMPDIR=""
GOTOOLDIR="/Users/hajimehoshi/sdk/go1.11rc2/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/hajimehoshi/gotest/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/b7/w11sqqrx7kx6fqfbn24wdsmh0000gn/T/go-build335252993=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Create a project repository with a main.go importing github.com/hajimehoshi/ebiten, and created go.mod. I tested 5 types of go.mod:

module example.com/m

require github.com/hajimehoshi/ebiten v0.0.0-20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.0.0-20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.7.0-alpha.0.20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.8.0-alpha.0.20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.9.0-alpha.0.20180819111657-1c088dc8b6d3

Run go1.11rc2 mod tidy with each go.mod

What did you expect to see?

go mod tidy should update the dependency version to v1.8.0-alpha.0.20180819111657-1c088dc8b6d3 since there is a tagged commit v1.8.0-alpha

What did you see instead?

In any cases, go mod tidy didn't update go.mod.

I think especially the case of v1.9.0-... seems dangerous since it might pollute the cache and when I release the version v1.9.0-*, the cache might not work well.

[bcmills]

Note that, in general, a given commit can correspond to multiple tagged versions too: nothing stops you from, say, tagging the same commit as all of v1.8.5, v1.9.0-rc1, and v1.9.0.

[hajimehoshi]

OK, so I fixed the issue title. Thanks!

[thepudds]

I think https://golang.org/cl/174061 would help this as well (by making it deterministic by selecting the semantically highest tag when it first creates a pseudo-version).

However, is part of the complaint here that a human can manually enter different pseudo-versions, and/or that different go.mod files over time might have different pseudo-versions for the same commit if tags are added over time to a single commit?

[thepudds]

@hajimehoshi In your example that you reported here, is it the case that most of the pseudo-versions you tried had the "wrong" semver tag within them for that same commit 1c088dc8b6d3 you kept using, but then go mod tidy did not update those "wrong" pseudo-versions to have correct semver tag within the pseudoversion?

@bcmills Would it be reasonable for go mod tidy to be defined to reach back to the source for any pseudo-version found in go.mod to pick the semantically highest semver tag contained within that commit and update the corresponding pseudo-version within the go.mod? Or at least for go mod tidy to do that update if the pseudo-version found in go.mod has a "wrong" semver tag within it?

CC @rogpeppe

[hajimehoshi]

but then go mod tidy did not update those "wrong" pseudo-versions to have correct semver tag within the pseudoversion?

As far as I remember, correct. Let me double-check later.

[bcmills]

@thepudds, I don't think go mod tidy is the right place for that. (It shouldn't hit the network if the module graph and the package graph are already in alignment and the required modules are already in the local cache.)

We also can't reject versions that are arbitrarily below that implied by parent tags. The same commit may be (for example) tagged as v1.3.0 and v1.2.1 (if it is, say, released as v1.3.0 and subsequently determined to fix a regression in v1.2.0), so it should be possible to name a commit based on any tag it may logically succeed.

However, we probably should reject (that is, refuse to even resolve) pseudo-versions that are above that implied by the highest tag, since that would allow modules to forcibly downgrade dependencies by misrepresenting the version of an old commit.

[gopherbot]

Change https://golang.org/cl/181881 mentions this issue: cmd/go: validate pseudo-versions against module paths and revision metadata

[gopherbot]

Change https://golang.org/cl/182178 mentions this issue: cmd/go/internal/modfetch: re-resolve commit hashes in readDiskStat

[bcmills]

Here is a sample of affected paths, derived from https://index.golang.org:

bitbucket.org/dchapes/db a88b39da22e9
        2017-01-02 20:58:12 +0000 UTC
        2018-08-04 20:58:12 +0000 UTC
github.com/BurntSushi/xgb 27f122750802
        2016-05-22 18:18:43 +0000 UTC
        2016-05-22 22:18:00 +0000 UTC
github.com/DeanThompson/ginpprof 3be636683586
        2019-04-08 06:31:50 +0000 UTC
        2019-04-08 07:07:48 +0000 UTC
github.com/StackExchange/wmi cbe66965904d
        2019-05-23 21:33:15 +0000 UTC
        2019-05-23 21:36:09 +0000 UTC
github.com/antihax/optional ca021399b1a6
        2018-04-06 19:43:04 +0000 UTC
        2018-04-07 02:43:04 +0000 UTC
github.com/awalterschulze/gographviz 1e9ccb565bca
        2019-02-21 21:06:32 +0000 UTC
        2019-03-29 05:28:59 +0000 UTC
github.com/bingoohuang/gou bf3d9b2b55aa5840c442284656ed6b15aedc5a25
        2019-05-27 05:31:07 +0000 UTC
        2019-06-04 08:29:26 +0000 UTC
github.com/certifi/gocertifi d2eda7129713
        2019-05-06 16:45:43 +0000 UTC
        2019-05-06 17:44:09 +0000 UTC
github.com/containerd/containerd ceba56893a76
        invalid base: "v1.3.0-0.20190321141026-ceba56893a76"
github.com/coreos/go-systemd 95778dfbb74e
        2019-03-21 10:07:06 +0000 UTC
        2019-04-01 02:55:00 +0000 UTC
github.com/cpuguy83/go-md2man 691ee98543af
        2018-06-19 19:30:05 +0000 UTC
        2018-06-19 20:56:30 +0000 UTC
github.com/denisenkom/go-mssqldb 731ef375ac02
        2019-04-23 18:37:35 +0000 UTC
        2019-04-27 21:28:04 +0000 UTC
github.com/etcd-io/etcd 35a67024f680
        2019-06-03 11:18:07 +0000 UTC
        2019-06-03 18:18:07 +0000 UTC
github.com/fishy/gcsbucket 618d60fe84e0
        2015-04-10 20:54:53 +0000 UTC
        2018-02-17 03:18:46 +0000 UTC
github.com/fujiwara/ridge 3b8228696ce7
        2019-03-12 08:07:41 +0000 UTC
        2019-03-12 08:41:19 +0000 UTC
github.com/gin-contrib/static c1cdf9c9ec7b
        2019-05-11 12:47:41 +0000 UTC
        2019-05-11 13:24:12 +0000 UTC
github.com/gin-gonic/contrib 7fb7810ed2a0
        2019-05-26 02:17:35 +0000 UTC
        2019-05-26 02:44:57 +0000 UTC
github.com/git-lfs/go-ntlm c5056e7fa066
        2019-03-07 20:31:51 +0000 UTC
        2019-04-01 17:57:52 +0000 UTC
github.com/golang/lint 8f45f776aaf1
        2018-12-17 17:45:47 +0000 UTC
        2019-02-27 17:43:05 +0000 UTC
github.com/golangci/errcheck ef45e06d44b6
        2018-10-03 20:33:44 +0000 UTC
        2018-12-23 08:41:20 +0000 UTC
github.com/golangci/go-tools 35a9f45a5db0
        2018-01-09 14:01:46 +0000 UTC
        2019-01-24 09:00:46 +0000 UTC
github.com/golangci/gofmt 0b8337e80d98
        2018-11-05 07:17:33 +0000 UTC
        2018-12-22 12:35:16 +0000 UTC
github.com/golangci/lint c2187e7932b5
        2017-09-08 18:12:59 +0000 UTC
        2018-09-02 08:04:04 +0000 UTC
github.com/golangci/unparam 7ad9dbcccc16
        2018-09-02 11:25:48 +0000 UTC
        2018-09-02 11:51:09 +0000 UTC
github.com/google/pprof 8358a9778bd1
        2019-05-02 14:41:55 +0000 UTC
        2019-05-09 08:38:00 +0000 UTC
github.com/google/wire 93b1ce745f8d
        invalid base: "v0.3.0-0.20190611223505-93b1ce745f8d"
github.com/hashicorp/hcl2 4b22149b7cef
        2019-05-15 22:32:18 +0000 UTC
        2019-05-15 22:43:32 +0000 UTC
github.com/justinas/alice 03f45bd4b7da
        2016-09-10 10:38:22 +0000 UTC
        2017-10-23 06:44:55 +0000 UTC
github.com/knq/sdhook 4d2800fd245c
        2019-05-12 23:18:55 +0000 UTC
        2019-05-12 23:42:13 +0000 UTC
github.com/mgechev/dots 18fa4c4b71cc
        2018-12-28 16:47:30 +0000 UTC
        2019-06-03 12:26:14 +0000 UTC
github.com/modsdemo/v0tags d69de0386093
        invalid base: "v0.9.0-0.20190505141014-d69de0386093"
github.com/netlify/netlify-commons c4d04dcc126b
        invalid base: "v0.17.0-0.20190606095701-c4d04dcc126b"
github.com/prometheus/procfs 0c11a8e341bf
        2019-05-30 14:28:22 +0000 UTC
        2019-05-30 14:47:49 +0000 UTC
github.com/prometheus/procfs 3cb620ac02d0
        2019-05-28 15:12:40 +0000 UTC
        2019-05-28 15:47:54 +0000 UTC
github.com/prometheus/procfs 5867b95ac084
        2019-05-07 16:40:30 +0000 UTC
        2019-05-13 00:39:49 +0000 UTC
github.com/prometheus/procfs 65bdadfa96ae
        2019-05-29 15:59:44 +0000 UTC
        2019-05-29 17:30:44 +0000 UTC
github.com/prometheus/procfs 740c07785007
        2019-05-03 13:03:16 +0000 UTC
        2019-05-06 00:28:11 +0000 UTC
github.com/prometheus/procfs 87a4384529e0
        2019-04-25 08:29:05 +0000 UTC
        2019-04-30 20:53:26 +0000 UTC
github.com/prometheus/procfs 9935e8e0588d
        2019-05-19 11:10:21 +0000 UTC
        2019-05-20 13:46:16 +0000 UTC
github.com/prometheus/procfs a7aeb8df3389
        2019-05-23 19:31:04 +0000 UTC
        2019-05-23 19:40:42 +0000 UTC
github.com/prometheus/procfs bbced9601137
        2019-02-27 23:14:51 +0000 UTC
        2019-02-28 00:09:57 +0000 UTC
github.com/prometheus/procfs bc1a522cf7b1
        2019-05-22 11:45:15 +0000 UTC
        2019-05-23 18:31:34 +0000 UTC
github.com/smartystreets/assertions 980c5ac6f3ac
        2019-02-15 21:06:24 +0000 UTC
        2019-03-30 03:27:15 +0000 UTC
github.com/smartystreets/assertions f487f9de1cd3
        2019-04-01 21:17:40 +0000 UTC
        2019-05-30 18:08:12 +0000 UTC
github.com/smartystreets/goconvey 68dc04aab96a
        2019-03-30 03:26:15 +0000 UTC
        2019-03-30 03:27:15 +0000 UTC
                (and 290 more)
github.com/smartystreets/goconvey ef6db91d284a
        2018-02-22 19:45:00 +0000 UTC
        2019-03-30 03:26:15 +0000 UTC
github.com/spf13/cobra c46add8a6528
        0001-01-01 00:00:00 +0000 UTC
        2017-07-11 12:08:33 +0000 UTC
github.com/ugorji/go/codec e444a5086c43
        2019-02-04 20:13:41 +0000 UTC
        2019-04-29 20:13:41 +0000 UTC
github.com/zclconf/go-cty 4fecf87372ec
        2019-05-16 20:38:16 +0000 UTC
        2019-05-19 16:34:11 +0000 UTC
go.etcd.io/etcd 35a67024f680
        2019-06-03 11:18:07 +0000 UTC
        2019-06-03 18:18:07 +0000 UTC
go4.org 94abd6928b1d
        2019-03-13 08:23:47 +0000 UTC
        2019-04-30 20:53:26 +0000 UTC
golang.org/x/arch 788fe5ffcd8c
        2019-03-12 16:21:04 +0000 UTC
        2019-03-29 05:28:59 +0000 UTC
golang.org/x/crypto 0709b304e793
        2018-09-04 16:38:35 +0000 UTC
        2019-01-29 21:01:02 +0000 UTC
golang.org/x/crypto 20be4c3c3ed5
        2019-05-30 12:26:14 +0000 UTC
        2019-06-01 00:35:51 +0000 UTC
                (and 81 more)
golang.org/x/crypto 22d7a77e9e5f
        2019-05-13 17:29:03 +0000 UTC
        2019-05-13 17:59:42 +0000 UTC
golang.org/x/crypto a29dc8fdc734
        2019-04-26 14:53:43 +0000 UTC
        2019-05-02 00:46:02 +0000 UTC
golang.org/x/lint 959b441ac422
        2019-04-09 20:28:23 +0000 UTC
        2019-05-11 00:54:46 +0000 UTC
golang.org/x/net 3ec191127204
        2019-05-14 14:07:10 +0000 UTC
        2019-05-15 22:43:32 +0000 UTC
                (and 1 more)
golang.org/x/net 4829fb13d2c6
        2019-04-24 11:20:56 +0000 UTC
        2019-04-24 11:27:55 +0000 UTC
golang.org/x/net 60506f45cf65
        2019-06-03 09:10:49 +0000 UTC
        2019-06-03 09:33:02 +0000 UTC
                (and 64 more)
golang.org/x/net 9ce7a6920f09
        2019-05-01 00:44:15 +0000 UTC
        2019-05-01 01:37:50 +0000 UTC
golang.org/x/net a4d6f7feada5
        2019-05-09 22:28:00 +0000 UTC
        2019-05-09 23:21:57 +0000 UTC
golang.org/x/net f3200d17e092
        2019-05-22 15:58:17 +0000 UTC
        2019-05-23 14:48:54 +0000 UTC
                (and 292 more)
golang.org/x/net f4e77d36d62c
        2019-05-03 19:29:46 +0000 UTC
        2019-05-06 00:28:11 +0000 UTC
golang.org/x/oauth2 0f29369cfe45
        2019-06-04 05:34:49 +0000 UTC
        2019-06-04 05:40:33 +0000 UTC
                (and 2 more)
golang.org/x/oauth2 950ef44c6e07
        2019-05-17 18:12:55 +0000 UTC
        2019-05-17 18:47:00 +0000 UTC
                (and 2 more)
golang.org/x/oauth2 9f3314589c9a
        2019-04-02 18:19:05 +0000 UTC
        2019-04-05 16:48:17 +0000 UTC
                (and 1 more)
golang.org/x/oauth2 aaccbc9213b0
        2019-05-23 18:27:46 +0000 UTC
        2019-05-23 18:31:34 +0000 UTC
                (and 28 more)
golang.org/x/sync 112230192c58
        2019-04-23 02:48:10 +0000 UTC
        2019-04-27 21:28:04 +0000 UTC
golang.org/x/sys 0e01d883c5c5
        2019-05-23 14:25:57 +0000 UTC
        2019-05-23 14:48:54 +0000 UTC
golang.org/x/sys 2219a0101f92
        2019-05-26 03:56:09 +0000 UTC
        2019-05-26 04:24:58 +0000 UTC
golang.org/x/sys 3626398d7749
        2019-05-28 18:36:47 +0000 UTC
        2019-05-28 18:52:58 +0000 UTC
                (and 12 more)
golang.org/x/sys 46560c3f3c0a
        2019-05-31 07:31:56 +0000 UTC
        2019-05-31 07:58:03 +0000 UTC
                (and 4 more)
golang.org/x/sys 4c3a928424d2
        2019-05-31 17:50:56 +0000 UTC
        2019-05-31 18:41:41 +0000 UTC
                (and 47 more)
golang.org/x/sys 4c4f7f33c9ed
        2019-06-02 01:53:25 +0000 UTC
        2019-06-02 03:53:34 +0000 UTC
                (and 119 more)
golang.org/x/sys 5219a1e1c5f8
        2019-05-29 13:00:38 +0000 UTC
        2019-05-29 13:27:21 +0000 UTC
                (and 1 more)
golang.org/x/sys 61b9204099cb
        2019-05-16 11:00:30 +0000 UTC
        2019-05-19 16:34:11 +0000 UTC
golang.org/x/sys 69e3a3a65b5b
        2019-05-31 13:24:40 +0000 UTC
        2019-05-31 13:51:44 +0000 UTC
                (and 3 more)
golang.org/x/sys 6a60838ec259
        2019-05-29 16:45:35 +0000 UTC
        2019-05-29 17:45:06 +0000 UTC
                (and 20 more)
golang.org/x/sys 791d8a0f4d09
        2019-05-26 05:23:59 +0000 UTC
        2019-05-26 05:33:52 +0000 UTC
                (and 37 more)
golang.org/x/sys 854af27f14a7
        2019-05-29 08:50:34 +0000 UTC
        2019-05-29 09:46:03 +0000 UTC
                (and 1 more)
golang.org/x/sys 9cd6430ef91e
        2019-05-27 10:42:16 +0000 UTC
        2019-05-27 11:25:10 +0000 UTC
                (and 18 more)
golang.org/x/sys a5b02f93d862
        2019-05-09 14:14:14 +0000 UTC
        2019-05-09 14:35:28 +0000 UTC
golang.org/x/sys abf6ff778158
        2019-05-24 12:25:48 +0000 UTC
        2019-05-24 12:37:31 +0000 UTC
golang.org/x/sys ad28b68e88f1
        2019-05-30 18:20:44 +0000 UTC
        2019-05-30 18:49:56 +0000 UTC
                (and 10 more)
golang.org/x/sys adf421d2caf4
        2019-05-28 01:25:30 +0000 UTC
        2019-05-28 01:38:23 +0000 UTC
                (and 15 more)
golang.org/x/sys afe098805b5c
        2019-06-02 01:07:38 +0000 UTC
        2019-06-02 01:54:18 +0000 UTC
golang.org/x/sys b6889370fb10
        2019-03-02 02:57:03 +0000 UTC
        2019-03-02 04:57:20 +0000 UTC
golang.org/x/sys cc920278c2cc
        2019-05-29 11:55:39 +0000 UTC
        2019-05-29 12:49:54 +0000 UTC
golang.org/x/sys dbbf3f1254d4
        2019-05-24 15:25:21 +0000 UTC
        2019-05-24 15:37:43 +0000 UTC
                (and 29 more)
golang.org/x/sys e44a3b55db15
        2019-05-26 03:10:47 +0000 UTC
        2019-05-26 03:23:47 +0000 UTC
golang.org/x/sys ea4c425e90c7
        2019-05-27 09:26:32 +0000 UTC
        2019-05-27 10:24:28 +0000 UTC
golang.org/x/text 905a57155faa
        2018-09-11 16:15:11 +0000 UTC
        2018-09-08 17:02:15 +0000 UTC
golang.org/x/time 9d24e82272b4
        2019-03-08 20:28:27 +0000 UTC
        2019-05-13 21:27:39 +0000 UTC
golang.org/x/tools 08bd53a4b4c4
        2019-05-28 20:25:02 +0000 UTC
        2019-05-28 20:27:19 +0000 UTC
                (and 3 more)
golang.org/x/tools 08e0b306e832
        2019-06-03 15:29:06 +0000 UTC
        2019-06-03 15:47:49 +0000 UTC
golang.org/x/tools 0abef6e9ecb8
        2019-06-01 11:02:25 +0000 UTC
        2019-06-01 11:37:40 +0000 UTC
                (and 16 more)
golang.org/x/tools 12d73424210d
        2019-05-30 04:37:10 +0000 UTC
        2019-05-30 04:46:27 +0000 UTC
                (and 10 more)
golang.org/x/tools 16909d206f00
        2019-01-18 19:33:59 +0000 UTC
        2019-01-30 01:41:16 +0000 UTC
golang.org/x/tools 178e83bc9d6a
        2019-06-03 18:19:26 +0000 UTC
        2019-06-03 18:55:32 +0000 UTC
golang.org/x/tools 1a7b4747f5e9
        2019-05-28 14:28:31 +0000 UTC
        2019-05-28 14:38:58 +0000 UTC
golang.org/x/tools 26e35f15edef
        2019-05-31 22:35:38 +0000 UTC
        2019-05-31 23:33:48 +0000 UTC
                (and 10 more)
golang.org/x/tools 2b03ca6e44eb
        2019-05-30 17:14:27 +0000 UTC
        2019-05-30 17:43:12 +0000 UTC
golang.org/x/tools 2c0ae7006135
        2019-05-24 14:03:12 +0000 UTC
        2019-05-24 14:37:32 +0000 UTC
                (and 3 more)
golang.org/x/tools 2de7f9bf822c
        2019-06-02 11:28:58 +0000 UTC
        2019-06-02 11:50:13 +0000 UTC
                (and 25 more)
golang.org/x/tools 31fd60d6bfdc
        2019-04-25 16:32:42 +0000 UTC
        2019-04-25 16:47:42 +0000 UTC
golang.org/x/tools 379209517ffe
        2019-01-25 23:20:54 +0000 UTC
        2019-02-05 20:13:29 +0000 UTC
golang.org/x/tools 38d8bcfa38af
        2019-05-23 17:46:34 +0000 UTC
        2019-05-23 18:37:47 +0000 UTC
                (and 17 more)
golang.org/x/tools 3d17549cdc6b
        2019-05-24 21:02:28 +0000 UTC
        2019-05-24 21:42:54 +0000 UTC
                (and 15 more)
golang.org/x/tools 521d6ed310dd
        2019-05-21 20:35:40 +0000 UTC
        2019-05-23 14:29:46 +0000 UTC
                (and 2 more)
golang.org/x/tools 6c7e314b6563
        2018-08-31 21:12:45 +0000 UTC
        2018-10-30 22:17:26 +0000 UTC
golang.org/x/tools 70bf279967a6
        2019-06-03 21:18:25 +0000 UTC
        2019-06-03 21:59:19 +0000 UTC
golang.org/x/tools 75312fb06703
        2019-05-30 21:55:28 +0000 UTC
        2019-05-30 22:45:34 +0000 UTC
                (and 17 more)
golang.org/x/tools 7be61e1b0e51
        2019-05-25 14:57:41 +0000 UTC
        2019-05-25 15:32:51 +0000 UTC
                (and 69 more)
golang.org/x/tools 8aaa1484dc10
        2019-06-03 23:13:51 +0000 UTC
        2019-06-03 23:30:10 +0000 UTC
                (and 16 more)
golang.org/x/tools 991f2949994b
        2019-05-24 12:55:31 +0000 UTC
        2019-05-24 13:50:26 +0000 UTC
golang.org/x/tools aa71c3f32488
        2019-05-29 01:04:54 +0000 UTC
        2019-05-29 01:27:14 +0000 UTC
                (and 13 more)
golang.org/x/tools b012c1979805
        2019-06-03 19:34:55 +0000 UTC
        2019-06-03 19:57:03 +0000 UTC
golang.org/x/tools b3315ee88b7d
        2019-05-31 17:21:33 +0000 UTC
        2019-05-31 17:54:26 +0000 UTC
                (and 3 more)
golang.org/x/tools b97706b7f64d
        2019-05-30 00:16:15 +0000 UTC
        2019-05-30 00:37:56 +0000 UTC
                (and 2 more)
golang.org/x/tools ce1a3806b557
        2019-05-30 18:43:49 +0000 UTC
        2019-05-30 19:41:57 +0000 UTC
golang.org/x/tools d238219cc233
        2019-05-28 15:12:38 +0000 UTC
        2019-05-28 15:44:30 +0000 UTC
                (and 2 more)
golang.org/x/tools d487f80763e2
        2019-05-24 18:48:02 +0000 UTC
        2019-05-24 19:42:50 +0000 UTC
golang.org/x/tools d850aa06e894
        2019-05-29 19:11:38 +0000 UTC
        2019-05-29 19:28:31 +0000 UTC
golang.org/x/tools f0bfdbff1f9c
        2019-03-14 01:07:20 +0000 UTC
        2019-03-15 21:40:10 +0000 UTC
golang.org/x/tools f98590f1bfc8
        2019-05-29 17:05:31 +0000 UTC
        2019-05-29 17:45:06 +0000 UTC
golang.org/x/tools fb6c8ffd2207
        2019-05-29 20:33:03 +0000 UTC
        2019-05-29 21:33:27 +0000 UTC
golang.org/x/xerrors a5947ffaac
        2019-03-15 15:13:31 +0000 UTC
        2019-05-13 16:35:51 +0000 UTC
google.golang.org/genproto bb713bdc0e52
        2019-05-16 17:26:35 +0000 UTC
        2019-05-19 16:34:11 +0000 UTC
google.golang.org/genproto c2c4e71fbf69
        2019-05-22 20:44:51 +0000 UTC
        2019-05-23 14:48:54 +0000 UTC
                (and 22 more)
google.golang.org/genproto ee236bd376b0
        2017-08-18 01:03:45 +0000 UTC
        2017-08-18 10:03:45 +0000 UTC
google.golang.org/genproto fb225487d101
        2019-05-30 19:49:41 +0000 UTC
        2019-06-01 00:35:51 +0000 UTC
                (and 82 more)
k8s.io/apimachinery 1f207b29b441
        2019-05-13 18:25:58 +0000 UTC
        2019-05-14 01:25:58 +0000 UTC
k8s.io/apimachinery 5bae42371a56
        2019-04-30 14:11:24 +0000 UTC
        2019-04-30 21:11:24 +0000 UTC
k8s.io/apimachinery 63a6072eb563
        2019-06-02 11:36:12 +0000 UTC
        2019-06-02 18:36:12 +0000 UTC
k8s.io/code-generator b1289fc74931
        2018-11-28 19:10:24 +0000 UTC
        2019-03-01 17:30:42 +0000 UTC
tmthrgd.dev/go/ddns 4f91cdabf141
        2019-04-30 00:36:47 +0000 UTC
        2019-04-30 00:41:04 +0000 UTC

[bcmills]

Unfortunately, I don't have a reverse-index of go.mod files in which (even a subset of) those versions appear.

[marwan-at-work]

Responding to @bcmills's slack question on how we usually write pseudo semvers in Go.mod files:

I never manually write a pseudo version, I usually do go get <some-pkg>@<full-long-sha> and let go convert a full long hash to a pseudo version

For example: go get github.com/pkg/errors@27936f6d90f9c8e1145f11ed52ffffbfdb9e0af7
and then my go.mod file will actually turn it into whatever pseudo semver.

It would be nice if people followed that convention and never wrote their own pseudo semvers...not sure if the Go command can help people towards that practice.

[rogpeppe]

@marwan-at-work That's what I do now, but originally I wasn't aware of that very convenient behaviour. I think that in principle it would be nice if the Go command failed on a pseudoversion with a mismatching date and suggest the alternative approach. My worry is that there are already lots of bad versions out there and this will cause people's builds to fail unexpectedly, giving more bad press to modules.

[thepudds]

Hi @bcmills, a couple questions.

Q1. From https://golang.org/cl/181881, it seems it will do a hard error if one of these types of previously allowed mistakes is found in a go.mod. Does that apply to go.mod files for both direct and indirect dependencies? I suspect the answer is yes.

If so, it means a "rare" problem on a per go.mod basis can end up being not so rare to experience when even a small-ish project can have a large count of dependencies in its module-level graph. Also, a single mistake by a single popular project could end up with wide impact, and that mistake could even happen a few months from now, if I am following.

It might make sense to be cautious here. It seems a warning in 1.13 would be less disruptive, and give more time to adapt.

Q2. Does that hard error also get triggered by any go.mod visited across the module-level dependency graph, including possibly being triggered by go.mod files from old versions that don't even end up being selected as a final version for the final build list?

If so, that increases the risk of experiencing a hard failure for something that used to work in Go 1.12, including if some indirect dependency might have fixed the problem several months ago but an old version of that go.mod still gets visited and triggers the error. That would mean the "hangover" of a mistake ends up lasting longer. That said, not sure if that applies here.

Here is an example of it failing with that CL when trying to get the current version of a reasonably popular utility:

$ go mod init tempod
$ export GOPROXY=direct
$ go get github.com/golangci/golangci-lint/...
go get: github.com/golangci/[email protected] requires
        github.com/go-critic/[email protected]: 
        pseudo-version does not match timestamp (2019-05-26T07:48:19Z)

That is devel +13c08e5389 Fri Jun 14 17:40:17.

Here is where that change seemed to happen. In that particular case, I don't know why just the commit hash of the pseudoversion was changed in the go.mod, but my first guess would be sometimes people might do a hand edit where they felt it slightly more convenient to just update the hash (without deleting the whole pseudoversion first), or perhaps in some cases people don't know that they can do "module queries" in their go.mod (including specifying just a commit hash).

Finally, sorry in advance if I am not understanding the impact of this change or when it triggers.

[thepudds]

@bcmills also, skimming over your list just now, it seems there are cases where the timestamp is a dozen or so minutes off, such as:

golang.org/x/net 60506f45cf65
        2019-06-03 09:10:49 +0000 UTC
        2019-06-03 09:33:02 +0000 UTC
                (and 64 more)

That example is probably not from a human edit, I would guess? Do you have a sense of where that type of error might be coming from?

[bcmills]

it will do a hard error if one of these types of previously allowed mistakes is found in a go.mod. Does that apply to go.mod files for both direct and indirect dependencies?

Yes. If it were to apply only to indirect dependencies, then it would be possible to “pin” an erroneous pseudo-version using a replace directive, which I don't want to allow. (The owner of the module, not the consumer of that module, should determine its mapping of commits to versions.)

If so, that increases the risk of experiencing a hard failure for something that used to work in Go 1.12, including if some indirect dependency might have fixed the problem several months ago but an old version of that go.mod still gets visited and triggers the error.

Yes. I'm actually pretty worried about that scenario, and it's something we'll need to watch closely during the beta. However, it should at least be possible to repair locally using a replace directive:

replace github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540 => v0.0.0-20190526074819-1df300866540

If we find a small number of such dependencies in central modules, we could also consider a whitelist of invalid {module, version} pairs. That's the most reasonable mitigation I can think of at this point that doesn't also allow arbitrarily-bad version strings going forward.

perhaps in some cases people don't know that they can do "module queries" in their go.mod (including specifying just a commit hash).

That seems likely to me.

[bcmills]

As for the handful of golang.org/x and similar modules with very large numbers of timestamp variations: I have no idea what's going on with those, and I hope that we can flush that problem out during the beta. My best guess is that someone, somewhere (maybe even the Go project itself!) has a buggy CI script that is attempting to produce its own pseudo-versions for specific commits (possibly the master commit?).

[bcmills]

@jayconrod suggested that I expand the search for affected versions by looking for pseudo-versions with the same timestamp but different commit hashes. Filtering out the v0.0.0-0. parse errors (for which I have no explanatory theory) and the v0.0.0-[…]+incompatible errors (which we have confirmed are a bug internal to the proxy), that expands the results as below.

github.com/census-instrumentation/opencensus-proto
	invalid base: base of pseudo-version would have a negative patch number: "v0.1.0-0.20181214143942-ba49f56771b8"
	indexed: 2019-04-11 07:33:31.341638 -0700 -0700
github.com/containerd/containerd
	invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190212172151-f5b0fa220df8"
	indexed: 2019-04-11 11:52:27.818978 -0700 -0700
github.com/docker/docker
	invalid base: base of pseudo-version would have a negative patch number: "v1.14.0-0.20190319215453-e7b5f7dbe98c"
	indexed: 2019-04-22 18:43:27.023939 -0700 -0700
github.com/containerd/containerd
	invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190321141026-ceba56893a76"
	indexed: 2019-04-25 14:31:11.173735 -0700 -0700
github.com/cloudwan/ginkgo
	invalid base: base of pseudo-version would have a negative patch number: "v1.6.0-0.20190213151947-95174e8d10cd"
	indexed: 2019-04-25 15:41:04.601405 -0700 -0700
github.com/containerd/containerd
	invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190426060238-3a3f0aac8819"
	indexed: 2019-05-01 04:21:55.296174 -0700 -0700
github.com/modsdemo/v0tags
	invalid base: base of pseudo-version would have a negative patch number: "v0.9.0-0.20190505141014-d69de0386093"
	indexed: 2019-05-20 09:33:41.520421 -0700 -0700
github.com/docker/docker
	invalid base: base of pseudo-version would have a negative patch number: "v1.14.0-0.20190410063227-d9d9eccdc862"
	indexed: 2019-05-22 15:10:39.4473 -0700 -0700
gopkg.in/gin-gonic/gin.v1
	invalid base: base of pseudo-version would have a negative patch number: "v1.0.0-0.20170702092826-d459835d2b07"
	indexed: 2019-06-05 22:55:09.794311 -0700 -0700
github.com/netlify/netlify-commons
	invalid base: base of pseudo-version would have a negative patch number: "v0.17.0-0.20190606095701-c4d04dcc126b"
	indexed: 2019-06-06 03:11:36.277271 -0700 -0700
gopkg.in/bluesuncorp/validator.v5
	invalid base: base of pseudo-version would have a negative patch number: "v5.0.0-0.20150523023324-07cbdd2e6dfd"
	indexed: 2019-06-09 22:05:53.683348 -0700 -0700
github.com/containers/libpod
	invalid base: base of pseudo-version would have a negative patch number: "v1.4.0-0.20190614192453-4a450d55d95f"
	indexed: 2019-06-14 14:21:06.365614 -0700 -0700
github.com/google/wire
	invalid base: base of pseudo-version would have a negative patch number: "v0.3.0-0.20190611223505-93b1ce745f8d"
	indexed: 2019-06-17 10:07:09.135102 -0700 -0700
bitbucket.org/dchapes/db a88b39da22e9
timestamp varies: 
	2017-01-02 20:58:12 +0000 UTC
	2018-08-04 20:58:12 +0000 UTC
github.com/BurntSushi/xgb 27f122750802
timestamp varies: 
	2016-05-22 18:18:43 +0000 UTC
	2016-05-22 22:18:00 +0000 UTC
github.com/DeanThompson/ginpprof 3be636683586
timestamp varies: 
	2019-04-08 06:31:50 +0000 UTC
	2019-04-08 07:07:48 +0000 UTC
github.com/StackExchange/wmi cbe66965904d
timestamp varies: 
	2019-05-23 21:33:15 +0000 UTC
	2019-05-23 21:36:09 +0000 UTC
github.com/antihax/optional ca021399b1a6
timestamp varies: 
	2018-04-06 19:43:04 +0000 UTC
	2018-04-07 02:43:04 +0000 UTC
github.com/apelisse/protobuf 20190410021324
revision varies: 
	0ad0d52e9ce345a781f6c002748fc399d4efb611
	765b5b8d2dfc
github.com/awalterschulze/gographviz 1e9ccb565bca
timestamp varies: 
	2019-02-21 21:06:32 +0000 UTC
	2019-03-29 05:28:59 +0000 UTC
github.com/bingoohuang/gou 20190604082926
revision varies: 
	be6100942b5a
	bf3d9b2b55aa5840c442284656ed6b15aedc5a25
github.com/bingoohuang/gou bf3d9b2b55aa5840c442284656ed6b15aedc5a25
timestamp varies: 
	2019-05-27 05:31:07 +0000 UTC
	2019-06-04 08:29:26 +0000 UTC
github.com/c-jiazheng/yzf-common 20190604085922
revision varies: 
	6260accc7ec8
	c49557393a17
		(and 2 more)
github.com/certifi/gocertifi d2eda7129713
timestamp varies: 
	2019-05-06 16:45:43 +0000 UTC
	2019-05-06 17:44:09 +0000 UTC
github.com/coreos/go-semver 20180108230905
revision varies: 
	e214231b295
	e214231b295a
github.com/coreos/go-systemd 95778dfbb74e
timestamp varies: 
	2019-03-21 10:07:06 +0000 UTC
	2019-04-01 02:55:00 +0000 UTC
github.com/cpuguy83/go-md2man 691ee98543af
timestamp varies: 
	2018-06-19 19:30:05 +0000 UTC
	2018-06-19 20:56:30 +0000 UTC
github.com/denisenkom/go-mssqldb 731ef375ac02
timestamp varies: 
	2019-04-23 18:37:35 +0000 UTC
	2019-04-27 21:28:04 +0000 UTC
github.com/depop/logentries 20180530131341
revision varies: 
	cf541324c208164813b3bad517721012407c825f
	ecb331a4a2b0
github.com/etcd-io/etcd 35a67024f680
timestamp varies: 
	2019-06-03 11:18:07 +0000 UTC
	2019-06-03 18:18:07 +0000 UTC
github.com/fishy/gcsbucket 618d60fe84e0
timestamp varies: 
	2015-04-10 20:54:53 +0000 UTC
	2018-02-17 03:18:46 +0000 UTC
github.com/fujiwara/ridge 3b8228696ce7
timestamp varies: 
	2019-03-12 08:07:41 +0000 UTC
	2019-03-12 08:41:19 +0000 UTC
github.com/gin-contrib/static c1cdf9c9ec7b
timestamp varies: 
	2019-05-11 12:47:41 +0000 UTC
	2019-05-11 13:24:12 +0000 UTC
github.com/gin-gonic/contrib 7fb7810ed2a0
timestamp varies: 
	2019-05-26 02:17:35 +0000 UTC
	2019-05-26 02:44:57 +0000 UTC
github.com/git-lfs/go-ntlm c5056e7fa066
timestamp varies: 
	2019-03-07 20:31:51 +0000 UTC
	2019-04-01 17:57:52 +0000 UTC
github.com/go-critic/go-critic 20181204210945
revision varies: 
	c3db6069acc5
	ee9bf5809ead
github.com/go-mgo/mgo 20180705113738
revision varies: 
	7446a0344b7
	7446a0344b78
github.com/golang/lint 20190409202823
revision varies: 
	5614ed5bae6fb75893070bdc0996a68765fdd275
	959b441ac422
github.com/golang/lint 8f45f776aaf1
timestamp varies: 
	2018-12-17 17:45:47 +0000 UTC
	2019-02-27 17:43:05 +0000 UTC
github.com/golangci/errcheck 20181003203344
revision varies: 
	1765131d5be5
	ef45e06d44b6
github.com/golangci/errcheck ef45e06d44b6
timestamp varies: 
	2018-10-03 20:33:44 +0000 UTC
	2018-12-23 08:41:20 +0000 UTC
github.com/golangci/go-tools 20180109140146
revision varies: 
	35a9f45a5db0
	af6baa5dc196
github.com/golangci/go-tools 35a9f45a5db0
timestamp varies: 
	2018-01-09 14:01:46 +0000 UTC
	2019-01-24 09:00:46 +0000 UTC
github.com/golangci/gofmt 20181105071733
revision varies: 
	0b8337e80d98
	f021c4179c82
github.com/golangci/gofmt 0b8337e80d98
timestamp varies: 
	2018-11-05 07:17:33 +0000 UTC
	2018-12-22 12:35:16 +0000 UTC
github.com/golangci/gosec 20180901114220
revision varies: 
	66fb7fc33547
	8afd9cbb6cfb
github.com/golangci/lint c2187e7932b5
timestamp varies: 
	2017-09-08 18:12:59 +0000 UTC
	2018-09-02 08:04:04 +0000 UTC
github.com/golangci/lint-1 20180610141402
revision varies: 
	4bf9709227d1
	ee948d087217
github.com/golangci/unparam 7ad9dbcccc16
timestamp varies: 
	2018-09-02 11:25:48 +0000 UTC
	2018-09-02 11:51:09 +0000 UTC
github.com/google/pprof 8358a9778bd1
timestamp varies: 
	2019-05-02 14:41:55 +0000 UTC
	2019-05-09 08:38:00 +0000 UTC
github.com/hashicorp/hcl2 4b22149b7cef
timestamp varies: 
	2019-05-15 22:32:18 +0000 UTC
	2019-05-15 22:43:32 +0000 UTC
github.com/justinas/alice 20160910103822
revision varies: 
	03f45bd4b7da
	1051eaf52fca
github.com/justinas/alice 03f45bd4b7da
timestamp varies: 
	2016-09-10 10:38:22 +0000 UTC
	2017-10-23 06:44:55 +0000 UTC
github.com/knq/sdhook 4d2800fd245c
timestamp varies: 
	2019-05-12 23:18:55 +0000 UTC
	2019-05-12 23:42:13 +0000 UTC
github.com/lib/pq 20190320221453
revision varies: 
	2ff3cb3
	51e2106
		(and 1 more)
github.com/mgechev/dots 18fa4c4b71cc
timestamp varies: 
	2018-12-28 16:47:30 +0000 UTC
	2019-06-03 12:26:14 +0000 UTC
github.com/pierrec/lz4 20181027085611
revision varies: 
	623b5a2f4d2a
	623b5a2f4d2a41e4
github.com/prometheus/procfs 0c11a8e341bf
timestamp varies: 
	2019-05-30 14:28:22 +0000 UTC
	2019-05-30 14:47:49 +0000 UTC
github.com/prometheus/procfs 3cb620ac02d0
timestamp varies: 
	2019-05-28 15:12:40 +0000 UTC
	2019-05-28 15:47:54 +0000 UTC
github.com/prometheus/procfs 5867b95ac084
timestamp varies: 
	2019-05-07 16:40:30 +0000 UTC
	2019-05-13 00:39:49 +0000 UTC
github.com/prometheus/procfs 65bdadfa96ae
timestamp varies: 
	2019-05-29 15:59:44 +0000 UTC
	2019-05-29 17:30:44 +0000 UTC
github.com/prometheus/procfs 740c07785007
timestamp varies: 
	2019-05-03 13:03:16 +0000 UTC
	2019-05-06 00:28:11 +0000 UTC
github.com/prometheus/procfs 87a4384529e0
timestamp varies: 
	2019-04-25 08:29:05 +0000 UTC
	2019-04-30 20:53:26 +0000 UTC
github.com/prometheus/procfs 9935e8e0588d
timestamp varies: 
	2019-05-19 11:10:21 +0000 UTC
	2019-05-20 13:46:16 +0000 UTC
github.com/prometheus/procfs a7aeb8df3389
timestamp varies: 
	2019-05-23 19:31:04 +0000 UTC
	2019-05-23 19:40:42 +0000 UTC
github.com/prometheus/procfs bbced9601137
timestamp varies: 
	2019-02-27 23:14:51 +0000 UTC
	2019-02-28 00:09:57 +0000 UTC
github.com/prometheus/procfs bc1a522cf7b1
timestamp varies: 
	2019-05-22 11:45:15 +0000 UTC
	2019-05-23 18:31:34 +0000 UTC
github.com/puppyanger/ppap 20190518161905
revision varies: 
	2a7269177dae
	58974b8523e6
		(and 2 more)
github.com/puppyanger/ppap 20190518161913
revision varies: 
	1ec4faa40270
	58d9d2900676
		(and 3 more)
github.com/puppyanger/ppap 20190518161922
revision varies: 
	01025d20f0e6
	11e529f2bfea
		(and 3 more)
github.com/puppyanger/ppap 20190518161930
revision varies: 
	29d6dbf02765
	2b2da725a9d1
		(and 3 more)
github.com/puppyanger/ppap 20190518161939
revision varies: 
	98e6d6b0726f
	c9585dbc31dc
github.com/puppyanger/ppap 20190518161940
revision varies: 
	449fab5c7558
	6873f410ee02
		(and 1 more)
github.com/puppyanger/ppap 20190518161948
revision varies: 
	165d5809c3cc
	2a9b56189168
		(and 1 more)
github.com/puppyanger/ppap 20190518161953
revision varies: 
	0ff4e758899d
	13e977992132
		(and 3 more)
github.com/puppyanger/ppap 20190518161956
revision varies: 
	3d2851ddb354
	3e1c98cd0ef7
		(and 2 more)
github.com/puppyanger/ppap 20190518161958
revision varies: 
	177bb9290e53
	8734ad6d44d9
		(and 3 more)
github.com/puppyanger/ppap 20190518162000
revision varies: 
	2cfa89900371
	4257d057a485
		(and 3 more)
github.com/puppyanger/ppap 20190518162003
revision varies: 
	3fe1f6ea1ab1
	5b7efa63721a
		(and 3 more)
github.com/puppyanger/ppap 20190518162005
revision varies: 
	0e072867b8c6
	2f8fe8ea8e6a
		(and 3 more)
github.com/puppyanger/ppap 20190518162007
revision varies: 
	24277fdc2c6b
	64fb4d755fc4
		(and 3 more)
github.com/puppyanger/ppap 20190518162009
revision varies: 
	2019a1aa9469
	7cf9ba556e7f
		(and 3 more)
github.com/puppyanger/ppap 20190518162013
revision varies: 
	20dde38e5fa9
	3b28b420723d
		(and 3 more)
github.com/puppyanger/ppap 20190518162016
revision varies: 
	381990db185b
	38981ed2ec18
		(and 3 more)
github.com/puppyanger/ppap 20190518162024
revision varies: 
	134cbdf34e08
	2efb42769d74
		(and 3 more)
github.com/puppyanger/ppap 20190518162031
revision varies: 
	27e3fb4c9479
	31a3b7701413
		(and 3 more)
github.com/puppyanger/ppap 20190518162038
revision varies: 
	0edd370da91a
	1ffc8df59c73
		(and 3 more)
github.com/puppyanger/ppap 20190518162048
revision varies: 
	0c27077eea5d
	2cb9e6724ca4
github.com/rubenv/sql-migrate 20180704111356
revision varies: 
	3f452fc0ebeb
	ba2c6a7295c59448dbc195cef2f41df5163b3892
github.com/smartystreets/assertions 980c5ac6f3ac
timestamp varies: 
	2019-02-15 21:06:24 +0000 UTC
	2019-03-30 03:27:15 +0000 UTC
github.com/smartystreets/assertions f487f9de1cd3
timestamp varies: 
	2019-04-01 21:17:40 +0000 UTC
	2019-05-30 18:08:12 +0000 UTC
github.com/smartystreets/goconvey 20190330032615
revision varies: 
	68dc04aab96a
	ef6db91d284a
github.com/smartystreets/goconvey 68dc04aab96a
timestamp varies: 
	2019-03-30 03:26:15 +0000 UTC
	2019-03-30 03:27:15 +0000 UTC
		(and 290 more)
github.com/smartystreets/goconvey ef6db91d284a
timestamp varies: 
	2018-02-22 19:45:00 +0000 UTC
	2019-03-30 03:26:15 +0000 UTC
github.com/spf13/cobra c46add8a6528
timestamp varies: 
	0001-01-01 00:00:00 +0000 UTC
	2017-07-11 12:08:33 +0000 UTC
github.com/u-root/u-root 20170902185051
revision varies: 
	019d26a9fb3c
	3dbbc137085a
		(and 1 more)
github.com/ugorji/go/codec e444a5086c43
timestamp varies: 
	2019-02-04 20:13:41 +0000 UTC
	2019-04-29 20:13:41 +0000 UTC
github.com/zclconf/go-cty 4fecf87372ec
timestamp varies: 
	2019-05-16 20:38:16 +0000 UTC
	2019-05-19 16:34:11 +0000 UTC
go.etcd.io/etcd 35a67024f680
timestamp varies: 
	2019-06-03 11:18:07 +0000 UTC
	2019-06-03 18:18:07 +0000 UTC
go4.org 94abd6928b1d
timestamp varies: 
	2019-03-13 08:23:47 +0000 UTC
	2019-04-30 20:53:26 +0000 UTC
golang.org/x/arch 788fe5ffcd8c
timestamp varies: 
	2019-03-12 16:21:04 +0000 UTC
	2019-03-29 05:28:59 +0000 UTC
golang.org/x/crypto 20190129210102
revision varies: 
	0709b304e793
	ccddf3741a0c
golang.org/x/crypto 0709b304e793
timestamp varies: 
	2018-09-04 16:38:35 +0000 UTC
	2019-01-29 21:01:02 +0000 UTC
golang.org/x/crypto 20be4c3c3ed5
timestamp varies: 
	2019-05-30 12:26:14 +0000 UTC
	2019-06-01 00:35:51 +0000 UTC
		(and 81 more)
golang.org/x/crypto 22d7a77e9e5f
timestamp varies: 
	2019-05-13 17:29:03 +0000 UTC
	2019-05-13 17:59:42 +0000 UTC
golang.org/x/crypto a29dc8fdc734
timestamp varies: 
	2019-04-26 14:53:43 +0000 UTC
	2019-05-02 00:46:02 +0000 UTC
golang.org/x/lint 959b441ac422
timestamp varies: 
	2019-04-09 20:28:23 +0000 UTC
	2019-05-11 00:54:46 +0000 UTC
golang.org/x/net 3ec191127204
timestamp varies: 
	2019-05-14 14:07:10 +0000 UTC
	2019-05-15 22:43:32 +0000 UTC
		(and 1 more)
golang.org/x/net 4829fb13d2c6
timestamp varies: 
	2019-04-24 11:20:56 +0000 UTC
	2019-04-24 11:27:55 +0000 UTC
golang.org/x/net 60506f45cf65
timestamp varies: 
	2019-06-03 09:10:49 +0000 UTC
	2019-06-03 09:33:02 +0000 UTC
		(and 64 more)
golang.org/x/net 9ce7a6920f09
timestamp varies: 
	2019-05-01 00:44:15 +0000 UTC
	2019-05-01 01:37:50 +0000 UTC
golang.org/x/net a4d6f7feada5
timestamp varies: 
	2019-05-09 22:28:00 +0000 UTC
	2019-05-09 23:21:57 +0000 UTC
golang.org/x/net f3200d17e092
timestamp varies: 
	2019-05-22 15:58:17 +0000 UTC
	2019-05-23 14:48:54 +0000 UTC
		(and 292 more)
golang.org/x/net f4e77d36d62c
timestamp varies: 
	2019-05-03 19:29:46 +0000 UTC
	2019-05-06 00:28:11 +0000 UTC
golang.org/x/oauth2 0f29369cfe45
timestamp varies: 
	2019-06-04 05:34:49 +0000 UTC
	2019-06-04 05:40:33 +0000 UTC
		(and 2 more)
golang.org/x/oauth2 950ef44c6e07
timestamp varies: 
	2019-05-17 18:12:55 +0000 UTC
	2019-05-17 18:47:00 +0000 UTC
		(and 2 more)
golang.org/x/oauth2 9f3314589c9a
timestamp varies: 
	2019-04-02 18:19:05 +0000 UTC
	2019-04-05 16:48:17 +0000 UTC
		(and 1 more)
golang.org/x/oauth2 aaccbc9213b0
timestamp varies: 
	2019-05-23 18:27:46 +0000 UTC
	2019-05-23 18:31:34 +0000 UTC
		(and 28 more)
golang.org/x/sync 112230192c58
timestamp varies: 
	2019-04-23 02:48:10 +0000 UTC
	2019-04-27 21:28:04 +0000 UTC
golang.org/x/sys 0e01d883c5c5
timestamp varies: 
	2019-05-23 14:25:57 +0000 UTC
	2019-05-23 14:48:54 +0000 UTC
golang.org/x/sys 2219a0101f92
timestamp varies: 
	2019-05-26 03:56:09 +0000 UTC
	2019-05-26 04:24:58 +0000 UTC
golang.org/x/sys 3626398d7749
timestamp varies: 
	2019-05-28 18:36:47 +0000 UTC
	2019-05-28 18:52:58 +0000 UTC
		(and 12 more)
golang.org/x/sys 46560c3f3c0a
timestamp varies: 
	2019-05-31 07:31:56 +0000 UTC
	2019-05-31 07:58:03 +0000 UTC
		(and 4 more)
golang.org/x/sys 4c3a928424d2
timestamp varies: 
	2019-05-31 17:50:56 +0000 UTC
	2019-05-31 18:41:41 +0000 UTC
		(and 47 more)
golang.org/x/sys 4c4f7f33c9ed
timestamp varies: 
	2019-06-02 01:53:25 +0000 UTC
	2019-06-02 03:53:34 +0000 UTC
		(and 119 more)
golang.org/x/sys 5219a1e1c5f8
timestamp varies: 
	2019-05-29 13:00:38 +0000 UTC
	2019-05-29 13:27:21 +0000 UTC
		(and 1 more)
golang.org/x/sys 61b9204099cb
timestamp varies: 
	2019-05-16 11:00:30 +0000 UTC
	2019-05-19 16:34:11 +0000 UTC
golang.org/x/sys 69e3a3a65b5b
timestamp varies: 
	2019-05-31 13:24:40 +0000 UTC
	2019-05-31 13:51:44 +0000 UTC
		(and 3 more)
golang.org/x/sys 6a60838ec259
timestamp varies: 
	2019-05-29 16:45:35 +0000 UTC
	2019-05-29 17:45:06 +0000 UTC
		(and 20 more)
golang.org/x/sys 791d8a0f4d09
timestamp varies: 
	2019-05-26 05:23:59 +0000 UTC
	2019-05-26 05:33:52 +0000 UTC
		(and 37 more)
golang.org/x/sys 854af27f14a7
timestamp varies: 
	2019-05-29 08:50:34 +0000 UTC
	2019-05-29 09:46:03 +0000 UTC
		(and 1 more)
golang.org/x/sys 9cd6430ef91e
timestamp varies: 
	2019-05-27 10:42:16 +0000 UTC
	2019-05-27 11:25:10 +0000 UTC
		(and 18 more)
golang.org/x/sys a5b02f93d862
timestamp varies: 
	2019-05-09 14:14:14 +0000 UTC
	2019-05-09 14:35:28 +0000 UTC
golang.org/x/sys abf6ff778158
timestamp varies: 
	2019-05-24 12:25:48 +0000 UTC
	2019-05-24 12:37:31 +0000 UTC
golang.org/x/sys ad28b68e88f1
timestamp varies: 
	2019-05-30 18:20:44 +0000 UTC
	2019-05-30 18:49:56 +0000 UTC
		(and 10 more)
golang.org/x/sys adf421d2caf4
timestamp varies: 
	2019-05-28 01:25:30 +0000 UTC
	2019-05-28 01:38:23 +0000 UTC
		(and 15 more)
golang.org/x/sys afe098805b5c
timestamp varies: 
	2019-06-02 01:07:38 +0000 UTC
	2019-06-02 01:54:18 +0000 UTC
golang.org/x/sys b6889370fb10
timestamp varies: 
	2019-03-02 02:57:03 +0000 UTC
	2019-03-02 04:57:20 +0000 UTC
golang.org/x/sys cc920278c2cc
timestamp varies: 
	2019-05-29 11:55:39 +0000 UTC
	2019-05-29 12:49:54 +0000 UTC
golang.org/x/sys dbbf3f1254d4
timestamp varies: 
	2019-05-24 15:25:21 +0000 UTC
	2019-05-24 15:37:43 +0000 UTC
		(and 29 more)
golang.org/x/sys e44a3b55db15
timestamp varies: 
	2019-05-26 03:10:47 +0000 UTC
	2019-05-26 03:23:47 +0000 UTC
golang.org/x/sys ea4c425e90c7
timestamp varies: 
	2019-05-27 09:26:32 +0000 UTC
	2019-05-27 10:24:28 +0000 UTC
golang.org/x/text 905a57155faa
timestamp varies: 
	2018-09-11 16:15:11 +0000 UTC
	2018-09-08 17:02:15 +0000 UTC
golang.org/x/time 9d24e82272b4
timestamp varies: 
	2019-03-08 20:28:27 +0000 UTC
	2019-05-13 21:27:39 +0000 UTC
golang.org/x/tools 20180831211245
revision varies: 
	6c7e314b6563
	7ca132754999
golang.org/x/tools 20190125232054
revision varies: 
	379209517ffe
	d66bd3c5d5a6
golang.org/x/tools 20190314010720
revision varies: 
	1286b2016bb1
	f0bfdbff1f9c
golang.org/x/tools 08bd53a4b4c4
timestamp varies: 
	2019-05-28 20:25:02 +0000 UTC
	2019-05-28 20:27:19 +0000 UTC
		(and 3 more)
golang.org/x/tools 08e0b306e832
timestamp varies: 
	2019-06-03 15:29:06 +0000 UTC
	2019-06-03 15:47:49 +0000 UTC
golang.org/x/tools 0abef6e9ecb8
timestamp varies: 
	2019-06-01 11:02:25 +0000 UTC
	2019-06-01 11:37:40 +0000 UTC
		(and 16 more)
golang.org/x/tools 12d73424210d
timestamp varies: 
	2019-05-30 04:37:10 +0000 UTC
	2019-05-30 04:46:27 +0000 UTC
		(and 10 more)
golang.org/x/tools 16909d206f00
timestamp varies: 
	2019-01-18 19:33:59 +0000 UTC
	2019-01-30 01:41:16 +0000 UTC
golang.org/x/tools 178e83bc9d6a
timestamp varies: 
	2019-06-03 18:19:26 +0000 UTC
	2019-06-03 18:55:32 +0000 UTC
golang.org/x/tools 1a7b4747f5e9
timestamp varies: 
	2019-05-28 14:28:31 +0000 UTC
	2019-05-28 14:38:58 +0000 UTC
golang.org/x/tools 26e35f15edef
timestamp varies: 
	2019-05-31 22:35:38 +0000 UTC
	2019-05-31 23:33:48 +0000 UTC
		(and 10 more)
golang.org/x/tools 2b03ca6e44eb
timestamp varies: 
	2019-05-30 17:14:27 +0000 UTC
	2019-05-30 17:43:12 +0000 UTC
golang.org/x/tools 2c0ae7006135
timestamp varies: 
	2019-05-24 14:03:12 +0000 UTC
	2019-05-24 14:37:32 +0000 UTC
		(and 3 more)
golang.org/x/tools 2de7f9bf822c
timestamp varies: 
	2019-06-02 11:28:58 +0000 UTC
	2019-06-02 11:50:13 +0000 UTC
		(and 25 more)
golang.org/x/tools 31fd60d6bfdc
timestamp varies: 
	2019-04-25 16:32:42 +0000 UTC
	2019-04-25 16:47:42 +0000 UTC
golang.org/x/tools 379209517ffe
timestamp varies: 
	2019-01-25 23:20:54 +0000 UTC
	2019-02-05 20:13:29 +0000 UTC
golang.org/x/tools 38d8bcfa38af
timestamp varies: 
	2019-05-23 17:46:34 +0000 UTC
	2019-05-23 18:37:47 +0000 UTC
		(and 17 more)
golang.org/x/tools 3d17549cdc6b
timestamp varies: 
	2019-05-24 21:02:28 +0000 UTC
	2019-05-24 21:42:54 +0000 UTC
		(and 15 more)
golang.org/x/tools 521d6ed310dd
timestamp varies: 
	2019-05-21 20:35:40 +0000 UTC
	2019-05-23 14:29:46 +0000 UTC
		(and 2 more)
golang.org/x/tools 6c7e314b6563
timestamp varies: 
	2018-08-31 21:12:45 +0000 UTC
	2018-10-30 22:17:26 +0000 UTC
golang.org/x/tools 70bf279967a6
timestamp varies: 
	2019-06-03 21:18:25 +0000 UTC
	2019-06-03 21:59:19 +0000 UTC
golang.org/x/tools 75312fb06703
timestamp varies: 
	2019-05-30 21:55:28 +0000 UTC
	2019-05-30 22:45:34 +0000 UTC
		(and 17 more)
golang.org/x/tools 7be61e1b0e51
timestamp varies: 
	2019-05-25 14:57:41 +0000 UTC
	2019-05-25 15:32:51 +0000 UTC
		(and 69 more)
golang.org/x/tools 8aaa1484dc10
timestamp varies: 
	2019-06-03 23:13:51 +0000 UTC
	2019-06-03 23:30:10 +0000 UTC
		(and 16 more)
golang.org/x/tools 991f2949994b
timestamp varies: 
	2019-05-24 12:55:31 +0000 UTC
	2019-05-24 13:50:26 +0000 UTC
golang.org/x/tools aa71c3f32488
timestamp varies: 
	2019-05-29 01:04:54 +0000 UTC
	2019-05-29 01:27:14 +0000 UTC
		(and 13 more)
golang.org/x/tools b012c1979805
timestamp varies: 
	2019-06-03 19:34:55 +0000 UTC
	2019-06-03 19:57:03 +0000 UTC
golang.org/x/tools b3315ee88b7d
timestamp varies: 
	2019-05-31 17:21:33 +0000 UTC
	2019-05-31 17:54:26 +0000 UTC
		(and 3 more)
golang.org/x/tools b97706b7f64d
timestamp varies: 
	2019-05-30 00:16:15 +0000 UTC
	2019-05-30 00:37:56 +0000 UTC
		(and 2 more)
golang.org/x/tools ce1a3806b557
timestamp varies: 
	2019-05-30 18:43:49 +0000 UTC
	2019-05-30 19:41:57 +0000 UTC
golang.org/x/tools d238219cc233
timestamp varies: 
	2019-05-28 15:12:38 +0000 UTC
	2019-05-28 15:44:30 +0000 UTC
		(and 2 more)
golang.org/x/tools d487f80763e2
timestamp varies: 
	2019-05-24 18:48:02 +0000 UTC
	2019-05-24 19:42:50 +0000 UTC
golang.org/x/tools d850aa06e894
timestamp varies: 
	2019-05-29 19:11:38 +0000 UTC
	2019-05-29 19:28:31 +0000 UTC
golang.org/x/tools f0bfdbff1f9c
timestamp varies: 
	2019-03-14 01:07:20 +0000 UTC
	2019-03-15 21:40:10 +0000 UTC
golang.org/x/tools f98590f1bfc8
timestamp varies: 
	2019-05-29 17:05:31 +0000 UTC
	2019-05-29 17:45:06 +0000 UTC
golang.org/x/tools fb6c8ffd2207
timestamp varies: 
	2019-05-29 20:33:03 +0000 UTC
	2019-05-29 21:33:27 +0000 UTC
golang.org/x/xerrors 20190315151331
revision varies: 
	a5947ffaac
	d61658bd2e18
golang.org/x/xerrors 20190513163551
revision varies: 
	3ee3066db522
	a5947ffaac
golang.org/x/xerrors a5947ffaac
timestamp varies: 
	2019-03-15 15:13:31 +0000 UTC
	2019-05-13 16:35:51 +0000 UTC
google.golang.org/genproto bb713bdc0e52
timestamp varies: 
	2019-05-16 17:26:35 +0000 UTC
	2019-05-19 16:34:11 +0000 UTC
google.golang.org/genproto c2c4e71fbf69
timestamp varies: 
	2019-05-22 20:44:51 +0000 UTC
	2019-05-23 14:48:54 +0000 UTC
		(and 22 more)
google.golang.org/genproto ee236bd376b0
timestamp varies: 
	2017-08-18 01:03:45 +0000 UTC
	2017-08-18 10:03:45 +0000 UTC
google.golang.org/genproto fb225487d101
timestamp varies: 
	2019-05-30 19:49:41 +0000 UTC
	2019-06-01 00:35:51 +0000 UTC
		(and 82 more)
k8s.io/api 20190602125759
revision varies: 
	1d8a3c80f93a
	c1e9adbde704
k8s.io/apimachinery 1f207b29b441
timestamp varies: 
	2019-05-13 18:25:58 +0000 UTC
	2019-05-14 01:25:58 +0000 UTC
k8s.io/apimachinery 5bae42371a56
timestamp varies: 
	2019-04-30 14:11:24 +0000 UTC
	2019-04-30 21:11:24 +0000 UTC
k8s.io/apimachinery 63a6072eb563
timestamp varies: 
	2019-06-02 11:36:12 +0000 UTC
	2019-06-02 18:36:12 +0000 UTC
k8s.io/client-go 20190528154735
revision varies: 
	79226fe1949a
	df931a0dfc8c
k8s.io/code-generator b1289fc74931
timestamp varies: 
	2018-11-28 19:10:24 +0000 UTC
	2019-03-01 17:30:42 +0000 UTC
sigs.k8s.io/structured-merge-diff 20190302045857
revision varies: 
	e85c7b244fd2
	ea680f03cc65b
tmthrgd.dev/go/ddns 4f91cdabf141
timestamp varies: 
	2019-04-30 00:36:47 +0000 UTC
	2019-04-30 00:41:04 +0000 UTC

[bcmills]

Of the remaining invalid base revisions:

• Two come from replace directives.

  • github.com/census-instrumentation/opencensus-proto v0.1.0-0.20181214143942-ba49f56771b8 comes from github.com/pulumi/tf2pulumi.
  • github.com/cloudwan/ginkgo v1.6.0-0.20190213151947-95174e8d10cd comes from a github.com/cloudwan/gohan.
  • Since replace directives don't affect downstream modules, the damage from these is very limited.

• The bad versions of github.com/containerd/containerd and github.com/docker/docker are from manual edits in github.com/docker/buildx and github.com/moby/buildkit by one or a small number of authors (@tonistiigi in particular).

  • Those are concerning because of the large number of modules with transitive dependencies within the docker ecosystem. It's not obvious to me whether buildx or buildkit are central modules within that ecosystem, but if so we may need to whitelist the specific versions in question.

• The bad version of github.com/modsdemo/v0tags is due to manual testing by @leitzler.

• I could not locate the remainder with a Google or GitHub search. I suspect they are dependencies of non-public modules.

  • gopkg.in/gin-gonic/gin.v1 v1.0.0-0.20170702092826-d459835d2b07
  • github.com/netlify/netlify-commons v0.17.0-0.20190606095701-c4d04dcc126b
  • gopkg.in/bluesuncorp/validator.v5 v5.0.0-0.20150523023324-07cbdd2e6dfd
  • github.com/containers/libpod v1.4.0-0.20190614192453-4a450d55d95f
  • github.com/google/wire v0.3.0-0.20190611223505-93b1ce745f8d
  • I would guess that non-public modules are easier to fix in general than public ones, since they necessarily can't be dependencies of public modules.

[bcmills]

Many of the inconsistent revisions appear in what appear to be smaller-scale forks of larger modules. The long revisions in particular tend to appear in replace directives.

The skewed k8s.io dates in particular tend to be offset by 7 hours. That suggests a bug in a conversion between America/Los_Angeles and UTC, and I'm guessing has something to do with the peculiar way they're using replace directives (see kubernetes/kubernetes#63607; CC @liggitt).

[thepudds]

This seems to at least attempt to use the go command to get the version string for a SHA:

https://github.com/kubernetes/kubernetes/blob/master/hack/pin-dependency.sh#L75

But maybe that is not right, or maybe another script does it incorrectly.

[liggitt]

k8s.io/apimachinery 1f207b29b441
        2019-05-13 18:25:58 +0000 UTC
        2019-05-14 01:25:58 +0000 UTC
k8s.io/apimachinery 5bae42371a56
        2019-04-30 14:11:24 +0000 UTC
        2019-04-30 21:11:24 +0000 UTC
k8s.io/apimachinery 63a6072eb563
        2019-06-02 11:36:12 +0000 UTC
        2019-06-02 18:36:12 +0000 UTC
k8s.io/code-generator b1289fc74931
        2018-11-28 19:10:24 +0000 UTC
        2019-03-01 17:30:42 +0000 UTC

Probably https://github.com/kubernetes/publishing-bot/blob/1481c50c852502b9cccdbcf45fac7352efe72701/artifacts/scripts/util.sh#L882-L884

cc @sttts

[tmthrgd]

tmthrgd.dev/go/ddns is my package, but I've since switched the import path over to go.tmthrgd.dev/ddns. It's a command line tool so I'm certain it never appeared in a go.mod file.

Grepping through my bash history I see the following that line up:

24154  [2019-04-30 10:07:18] GO111MODULE=on go install tmthrgd.dev/go/ddns
24158  [2019-04-30 10:07:46] go install tmthrgd.dev/go/ddns

I believe I was in a $GOPATH/src directory and at the time I had GOPROXY=https://proxy.golang.org set.

These are the go installs I did before and after that time so I was running go1.12.1 at the time (for above go is ~/sdk/go1.12.1/bin/go).

23689  [2019-03-21 16:53:18] go get golang.org/dl/go1.12.1
23690  [2019-03-21 16:53:26] go1.12.1 download
24178  [2019-04-30 15:32:49] go get golang.org/dl/go1.12.4
24180  [2019-04-30 15:33:07] go1.12.4 download

My go env should have looked like this:

$ GOPROXY=https://proxy.golang.org go1.12.1 env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tom/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/tom/go"
GOPROXY="https://proxy.golang.org"
GORACE=""
GOROOT="/home/tom/sdk/go1.12.1"
GOTMPDIR=""
GOTOOLDIR="/home/tom/sdk/go1.12.1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build145672369=/tmp/go-build -gno-record-gcc-switches"

My timezone is:

$ date +"%Z %z"
ACST +0930

Just for reference this line appears in my bash history and lines up with one of the timestamps:

24152  [2019-04-30 10:06:47] git commit

It was run in the module directory and I have a precommit hook that runs gofmt -l (edit: on individual changed .go files), though I don't know how or why that would affect anything.

I'm happy to provide any more information if needed.

[bcmills]

Confirmed that the v0.0.0-0. entries are due to a bug internal to the Go module proxy, introduced around June 3 and fixed around June 12 (part of the fix for #32461). Hopefully that's a short enough window that those invalid versions are not widespread.

[bcmills]

Looks like the k8s.io issue should be fixed in kubernetes/publishing-bot#186.

[bcmills]

@tmthrgd, thanks for the info. Most likely the error is in some consumer of your module rather than your module itself. (We're still trying to figure out how to investigate the sources of these errors, at least when those sources are other open-source modules.)

[jayconrod]

I did some analysis on whether CL 181881 would break many projects. I found 12 modules out of 1531 analyzed that would be broken. This seems like a small enough number that I think we should proceed with the fix as it is.

---

Methodology

• Started with a list of 5000 frequently imported packages.
• Extracted a list of 1632 modules providing those package. Removed modules with upper case letters in the module paths (sorry, I realized these needed escaping too late, and this would have delayed analysis further. I don't think this reduced coverage too much). 1531 modules were left.
• For each module:
  • Downloaded the latest go.mod file I could find. I mainly used https://proxy.golang.org/<modpath>/@latest to tell me the latest version, then https://proxy.golang.org/<modpath>/@v/<version>.mod to get this. If @latest was not available, I used the last value in https://proxy.golang.org/<modpath>/@v/list for the version.
  • Ran go list -m all with CL 181881 and with Go 1.12.6 for comparison. Both commands were run with GOPROXY=direct. A different GOPATH was used for each Go version, but each GOPATH was shared with all modules to avoid hitting GitHub too hard (I already got rate limited a bit).
  • Logged differences and failures.

---

Findings

I didn't find any modules where the build list was constructed successfully but with differences in both versions of Go.

There were 2 modules where the latest version has an incorrect module path. For example in gopkg.in/gin-gonic/[email protected], the module path is github.com/gin-gonic/gin. I skipped these, since the correct name of the module was covered already.

There were 12 modules with new validation errors due to this CL.

github.com/appscode/go
go: github.com/flosch/[email protected] requires
	github.com/go-check/[email protected]: invalid pseudo-version: major version without preceding tag must be v0, not v1

github.com/cloudflare/cloudflare-go
go: golang.org/x/[email protected]: invalid pseudo-version: does not match version-control timestamp (2019-04-09T20:28:23Z)

github.com/dubbo/go-for-apache-dubbo
go: github.com/dubbogo/[email protected]: invalid pseudo-version: does not match version-control timestamp (2019-05-23T10:03:29Z)

github.com/flosch/pongo2
go: github.com/go-check/[email protected]: invalid pseudo-version: major version without preceding tag must be v0, not v1

github.com/go-interpreter/wagon
go: github.com/twitchyliquid64/[email protected]: invalid pseudo-version: does not match version-control timestamp (2019-01-26T20:37:39Z)

github.com/jhump/protoreflect
go: google.golang.org/[email protected]: invalid pseudo-version: does not match version-control timestamp (2017-08-18T01:03:45Z)

github.com/lightninglabs/neutrino
go: github.com/btcsuite/[email protected] requires
	github.com/lightninglabs/[email protected] requires
	github.com/btcsuite/[email protected] requires
	github.com/lightninglabs/[email protected] requires
	github.com/btcsuite/btcwallet@v0.0.0-20180904010540-284e2e0e696e33d5be388f7f3d9a26db703e0c06: invalid pseudo-version: revision is longer than canonical (284e2e0e696e)

github.com/ltcsuite/ltcd
go: github.com/ltcsuite/[email protected]: invalid pseudo-version: does not match version-control timestamp (2019-05-07T13:33:22Z)

github.com/tonistiigi/fsutil
go: golang.org/x/[email protected]: invalid pseudo-version: does not match version-control timestamp (2018-09-04T16:38:35Z)

gomodules.xyz/cert
go: github.com/appscode/[email protected] requires
	github.com/flosch/[email protected] requires
	github.com/go-check/[email protected]: invalid pseudo-version: major version without preceding tag must be v0, not v1

kmodules.xyz/client-go
go: github.com/appscode/[email protected] requires
	github.com/flosch/[email protected] requires
	github.com/go-check/[email protected]: invalid pseudo-version: major version without preceding tag must be v0, not v1

kmodules.xyz/offshoot-api
go: kmodules.xyz/[email protected] requires
	github.com/appscode/[email protected] requires
	github.com/flosch/[email protected] requires
	github.com/go-check/[email protected]: invalid pseudo-version: major version without preceding tag must be v0, not v1

I was happy not to see any problems with invalid +incompatible versions. Several modules require github.com/pierrec/lz4 v2.0.5+incompatible, which is the last valid version.

[thepudds]

Maybe this is unrelated, but posting here for now in case it is related.

Getting k8s.io/kubernetes at master then k8s.io/api at master fails with gotip complaining about unknown revision v0.0.0, but same steps work with Go 1.12.6 without error.

go get golang.org/dl/gotip && gotip download

export GOPROXY=direct
export GOSUMDB=off
export GOPATH=$(mktemp -d)
cd $(mktemp -d)

gotip mod init m
gotip get -v -d k8s.io/kubernetes@master    # current master: 8c3b7d7679cc
gotip get -v -d k8s.io/api@master           # current master: dcce3486da33

which fails with:

go: extracting k8s.io/api v0.0.0-20190620073856-dcce3486da33
go: downloading k8s.io/api v0.0.0
go get k8s.io/api@master: unknown revision v0.0.0

mod graph says:

gotip mod graph | egrep 'k8s.io/[email protected]$' 
k8s.io/[email protected] k8s.io/[email protected]

gotip is devel +c290cb6 Sun Jun 23 22:20:39 2019 +0000 linux/amd64.

[thepudds]

The bad versions of github.com/containerd/containerd and github.com/docker/docker [...]

Those are concerning because of the large number of modules with transitive dependencies within the docker ecosystem. It's not obvious to me whether buildx or buildkit are central modules within that ecosystem, but if so we may need to whitelist the specific versions in question.

Probably not a surprise, but cloning docker, then doing mod init followed by mod tidy fails with tip:

export GOPROXY=direct
export GOSUMDB=off
export GOPATH=$(mktemp -d)

git clone --depth=1 https://github.com/docker/docker
cd docker
gotip mod init
gotip mod tidy

which fails with:

go: github.com/moby/[email protected] requires
        github.com/containerd/[email protected]: 
        invalid pseudo-version: version before v1.3.0 would have negative patch number

Those steps pass with Go 1.12.6.

[gopherbot]

Change https://golang.org/cl/183618 mentions this issue: cmd/go/internal/modfetch: treat a missing go.mod file as a “not exist” error

[gopherbot]

Change https://golang.org/cl/183619 mentions this issue: cmd/go/internal/modfetch: return structured errors from proxy operations

[bcmills]

@thepudds, I don't know why go1.12.6 doesn't detect the error in k8s.io/kubernetes, but gotip is correct to fail that sequence.

k8s.io/kubernetes requires k8s.io/api v0.0.0 here. There is no such version of k8s.io/api tagged, and because the repo doesn't have any semver-style tags, v0.0.0- is the correct pseudo-version prefix for its commits.

As far as I can tell, because k8s.io/kubernetes relies so heavily on replace directives to pin its dependencies it can only be built in module mode if it is the main module, or if the main module replicates its replace directives more-or-less exactly.

[gopherbot]

Change https://golang.org/cl/184720 mentions this issue: cmd/go: tighten the check for pseudo-version base tags