Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/tools/gopls: broken build with x/vuln@latest #59837

Closed
bcmills opened this issue Apr 26, 2023 · 7 comments
Closed

x/tools/gopls: broken build with x/vuln@latest #59837

bcmills opened this issue Apr 26, 2023 · 7 comments
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) Tools This label describes issues relating to any tools in the x/tools repository.
Milestone

Comments

@bcmills
Copy link
Contributor

bcmills commented Apr 26, 2023

What version of Go are you using (go version)?

~/src/golang.org/x/tools/gopls$ go1.20.3 version
go version go1.20.3 linux/amd64

Does this issue reproduce with the latest release?

Yes; it also reproduces with CL 471595 patched in.

What operating system and processor architecture are you using (go env)?

go env Output
$ go1.20.3 env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/usr/local/google/home/bcmills/.cache/go-build"
GOENV="/usr/local/google/home/bcmills/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/tmp/tmp.zk603vMqhA"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/usr/local/google/home/bcmills"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/google/home/bcmills/sdk/go1.20.3"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/google/home/bcmills/sdk/go1.20.3/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.20.3"
GCCGO="/usr/bin/gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="c++"
CGO_ENABLED="1"
GOMOD="/usr/local/google/home/bcmills/src/golang.org/x/tools/gopls/go.mod"
GOWORK=""
CGO_CFLAGS="-O2 -g"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-O2 -g"
CGO_FFLAGS="-O2 -g"
CGO_LDFLAGS="-O2 -g"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build577603139=/tmp/go-build -gno-record-gcc-switches"

What did you do?

~/src/golang.org/x/tools/gopls$ go1.20.3 get -u -t ./...

What did you expect to see?

Dependencies of gopls successfully updated to their latest versions.

What did you see instead?

~/src/golang.org/x/tools/gopls$ go1.20.3 get -u -t ./...
golang.org/x/tools/gopls/internal/govulncheck imports
        golang.org/x/vuln/client: cannot find module providing package golang.org/x/vuln/client
golang.org/x/tools/gopls/internal/govulncheck imports
        golang.org/x/vuln/exp/govulncheck: cannot find module providing package golang.org/x/vuln/exp/govulncheck
golang.org/x/tools/gopls/internal/govulncheck imports
        golang.org/x/vuln/osv: cannot find module providing package golang.org/x/vuln/osv
golang.org/x/tools/gopls/internal/vulncheck imports
        golang.org/x/vuln/vulncheck: cannot find module providing package golang.org/x/vuln/vulncheck

The missing packages were moved in CL 475015.

(attn @hyangah @julieqiu; CC @findleyr @adonovan)

@gopherbot gopherbot added Tools This label describes issues relating to any tools in the x/tools repository. gopls Issues related to the Go language server, gopls. labels Apr 26, 2023
@gopherbot gopherbot added this to the Unreleased milestone Apr 26, 2023
@bcmills bcmills added the Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) label Apr 26, 2023
@hyangah
Copy link
Contributor

hyangah commented Apr 28, 2023

@bcmills can you tell us more why is labelled "soon"?

The x/vuln API is not stable at all and our intention was not to update x/vuln dependency until a new API becomes available and we migrate to the new one.

@findleyr
Copy link
Contributor

If this is WAI, I propose that we close this issue.

@hyangah hyangah closed this as completed Apr 28, 2023
@findleyr findleyr closed this as not planned Won't fix, can't repro, duplicate, stale Apr 28, 2023
@bcmills
Copy link
Contributor Author

bcmills commented May 2, 2023

The x/vuln API is not stable at all and our intention was not to update x/vuln dependency until a new API becomes available and we migrate to the new one.

Even unstable dependencies have points of stability. x/vuln has exactly one tagged version (v0.1.0), and gopls can't build against it.

That means that if critical bugs or vulnerabilities are found and patched in x/vuln, gopls will presumably be unable to upgrade (or will need its own backports), and that if any of the other dependencies of gopls happens to upgrade to the tagged x/vuln those dependencies will become stuck too.

If x/vuln is not usable at its only tagged version, perhaps we should back out the integration and remove the dependency until the API is more stable.

@findleyr
Copy link
Contributor

findleyr commented May 2, 2023

If x/vuln is not usable at its only tagged version, perhaps we should back out the integration and remove the dependency until the API is more stable.

I really don't understand this perspective, given that we own both projects. They are versioned together, and any critical bugfix would need to be fixed in both x/vuln and gopls. We have this responsibility. Bryan, is your point that they have diverged too much for this to be feasible in a timely manner? In that case, I would defer to @hyangah and @julieqiu to decide.

@bcmills
Copy link
Contributor Author

bcmills commented May 2, 2023

Bryan, is your point that they have diverged too much for this to be feasible in a timely manner?

Yes — that, and that the divergence adds friction for testing and maintenance in other ways.

For example:

@hyangah
Copy link
Contributor

hyangah commented May 3, 2023

x/vuln is currently actively working on API finalization. The API is significantly different and the current mode is an alternative to copying or vendoring the whole repo. This will be addressed in a couple of months, so let's not worry about this.

@hyangah
Copy link
Contributor

hyangah commented May 3, 2023

This is the milestone for x/vuln API work https://github.com/golang/go/milestone/308

@golang golang locked and limited conversation to collaborators May 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. Soon This needs action soon. (recent regressions, service outages, unusual time-sensitive situations) Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Development

No branches or pull requests

4 participants