cmd/go/internal/modfetch: erroneously resolves a v2.…+incompatible version when a v2/go.mod file exists
#51324
Comments
bcmills
added
modules
NeedsInvestigation
|
One more data point: apparently So the recent change in behavior is just that we now resolve the |
|
@gopherbot, please backport to Go 1.16 and Go 1.17. This is a regression introduced in a security release (for #35671), and can cause confusion if a Go user accidentally passes the wrong module path to |
|
Backport issue(s) opened: #51331 (for 1.16), #51332 (for 1.17). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Change https://go.dev/cl/387675 mentions this issue: |
|
Change https://go.dev/cl/387917 mentions this issue: |
|
Reopening to track 1.18 cherry-pick. |
|
Change https://go.dev/cl/387921 mentions this issue: |
|
Change https://go.dev/cl/387922 mentions this issue: |
|
Change https://go.dev/cl/387923 mentions this issue: |
dmitshur
added
NeedsFix
… a go.mod file exists in a subdirectory for that version Previous versions of the 'go' command would reject a pseudo-version passed to 'go get' if that pseudo-version had a mismatched major version and lacked a "+incompatible" suffix. However, they would erroneously accept a version *with* a "+incompatible" suffix even if the repo contained a vN/go.mod file for the same major version, and would generate a "+incompatible" pseudo-version or version if the user requested a tag, branch, or commit hash. This change uniformly rejects "vN.…" without "+incompatible", and also avoids resolving to "vN.…+incompatible", when vN/go.mod exists. To maintain compatibility with existing go.mod files, it still accepts "vN.…+incompatible" if the version is requested explicitly as such and the repo root lacks a go.mod file. Fixes #51332 Updates #51324 Updates #36438 Change-Id: I2b16150c73fc2abe4d0a1cd34cb1600635db7139 Reviewed-on: https://go-review.googlesource.com/c/go/+/387675 Trust: Bryan Mills <bcmills@google.com> Reviewed-by: Michael Matloob <matloob@golang.org> (cherry picked from commit 5a9fc94) Reviewed-on: https://go-review.googlesource.com/c/go/+/387922 Run-TryBot: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
… a go.mod file exists in a subdirectory for that version Previous versions of the 'go' command would reject a pseudo-version passed to 'go get' if that pseudo-version had a mismatched major version and lacked a "+incompatible" suffix. However, they would erroneously accept a version *with* a "+incompatible" suffix even if the repo contained a vN/go.mod file for the same major version, and would generate a "+incompatible" pseudo-version or version if the user requested a tag, branch, or commit hash. This change uniformly rejects "vN.…" without "+incompatible", and also avoids resolving to "vN.…+incompatible", when vN/go.mod exists. To maintain compatibility with existing go.mod files, it still accepts "vN.…+incompatible" if the version is requested explicitly as such and the repo root lacks a go.mod file. Fixes #51331 Updates #51324 Updates #36438 Change-Id: I2b16150c73fc2abe4d0a1cd34cb1600635db7139 Reviewed-on: https://go-review.googlesource.com/c/go/+/387675 Trust: Bryan Mills <bcmills@google.com> Reviewed-by: Michael Matloob <matloob@golang.org> (cherry picked from commit 5a9fc94) Reviewed-on: https://go-review.googlesource.com/c/go/+/387923 Run-TryBot: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
Merged to Go 1.18 release branch via https://go.dev/cl/389554. |
This fixes an obscure bug in 'go list -versions' if the repo contains a tag with an explicit "+incompatible" suffix. However, I've never seen such a repo in the wild; mostly it's an attempt to wrap my brain around the code and simplify things a bit for the future. Updates #51324 Updates #51312 Change-Id: I1b078b5db36470cf61aaa85b5244c99b5ee2c842 Reviewed-on: https://go-review.googlesource.com/c/go/+/387917 Run-TryBot: Bryan Mills <bcmills@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Matloob <matloob@golang.org>
CL 378400 appears to have introduced a regression for modules that contain a
v2/go.modfile and notgo.modfile at the repo root.github.com/sacloud/libsacloudat commitb491c1c2c6bd6e18fd0b55ef6770ecd1e66f1419is one such example.At that revision, it contains a
v2/go.modfile that correctly declaresmodule github.com/sacloud/libsacloud/v2, and nogo.modfile whatsoever at the module root. The correspondingv2pseudo-version should therefore apply only to thev2module (github.com/sacloud/libsacloud/v2) — it should not also be valid as a+incompatibleversion for the module at the root of the repo.Go 1.17 as originally released correctly rejected that version for the repo root.
go1.18rc1does not.(Found by @heschi during Go 1.18 pre-release testing.)
CC @matloob
The text was updated successfully, but these errors were encountered: