cmd/go: make go.mod exclude directives deterministic #36465
The "next" higher version depends on the list of available versions and may change over time. When the
This behavior also makes the build non-deterministic. Since the "next" version may change, the build list may vary depending on when the build was run and which proxy was used. A malicious proxy may selectively show and hide versions, but if the checksum database is being used, a proxy can't introduce a version that wasn't created by the module author without being detected.
If an excluded version is required in the main module's
In this example,
This appears to be the root cause of #36453.
Together, these changes prevent the
In the above example, the
The text was updated successfully, but these errors were encountered:
I think (2) is important.
As an alternative to (1), we could instead ignore the excluded requirement entirely. (If we know that the main module already has a dependency on a higher version anyway, then replacing the lower version with the higher one has the same effect as dropping the lower one entirely.)
That would drop the excluded edges from
I'm deep in the guts of the module loader for #36460 anyway, so I'm going to implement the behavior described in #36465 (comment). We will ignore requirements on excluded versions whenever they are encountered, with the result that we will either downgrade to the highest non-excluded version found in the requirement graph or re-resolve the
That approach is deterministic: if we do not need to re-resolve, it always yields the same subgraph of the original requirement graph, and if we do need to re-resolve we will record the resulting version as a new requirement (even if it is lower than the excluded version).
It also has the nice benefit of enabling users to
Spot-checking some known open-source
The planned change (to simply ignore all references to the excluded version) will continue to work for both of those categories.
For #36460 Updates #36465 Change-Id: Id818dce21d39a48cf5fc9c015b30497dce9cd1ef Reviewed-on: https://go-review.googlesource.com/c/go/+/278596 Trust: Bryan C. Mills <email@example.com> Run-TryBot: Bryan C. Mills <firstname.lastname@example.org> TryBot-Result: Go Bot <email@example.com> Reviewed-by: Jay Conrod <firstname.lastname@example.org> Reviewed-by: Michael Matloob <email@example.com>
For golang/go#36465 Change-Id: I2ee22295c9c542697f211ce517866560e33ef480 Reviewed-on: https://go-review.googlesource.com/c/website/+/287414 Trust: Jay Conrod <firstname.lastname@example.org> Reviewed-by: Bryan C. Mills <email@example.com>