Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: cmd/go: add a flag to stop embedding versioning information into the binaries #37693

Open
dottedmag opened this issue Mar 5, 2020 · 4 comments
Labels
Milestone

Comments

@dottedmag
Copy link
Contributor

@dottedmag dottedmag commented Mar 5, 2020

Background

Proposal #37475 suggests adding a version of git checkout from which the binary is built to the binary itself.

Comments #37475 (comment) and #37475 (comment) describe a workflow which will be broken by this change, as it relies on binaries' checksum stability.

This stability is already slightly compromised, as versions of dependencies are embedded in the final binary. However, it works pretty well in practice: when a dependency changes, it usually brings new code, because nobody is updating dependencies constantly, only to get a new feature or a bugfix.

OTOH, when a checkout version changes, often it does not bring new code, especially for monorepo. As an anecdotic data point, the project I'm working in regularly sees binaries staying stable over hundreds of revisions of source code. #37475 would increase the number of produced Docker images 100x and force upgrades of all components needlessly (unless a scheme equivalent to removing version information from binaries is employed).

Proposal

This proposal suggests adding a flag that will disable embedding version information completely (including the version of Go).

This will solve the dependencies-induced checksum stability compromise as well.

Practical considerations

I'd like to ask to make sure #37475 and this proposal are considered together, to avoid releasing a version of Go where the workflow described in that proposal is broken.

@bcmills

This comment has been minimized.

Copy link
Member

@bcmills bcmills commented Mar 5, 2020

@mark-rushakoff

This comment has been minimized.

Copy link
Contributor

@mark-rushakoff mark-rushakoff commented Mar 5, 2020

As for the build process I mentioned in #37475 (comment), we are using GOFLAGS='-mod=vendor -ldflags=-buildid='. We also are explicitly not using -trimpath as that includes module version info that we don't want for these builds.

A single flag we could use that was something like -deterministic-build or -reproducible-build or -omit-version-embedding would make things much simpler for our build process, if we could rely on that flag to be stable across versions of Go.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Mar 5, 2020

Let's please discuss this on #37475. I can't see any reason to make this a separate issue. Thanks.

@bcmills

This comment has been minimized.

Copy link
Member

@bcmills bcmills commented Mar 6, 2020

@ianlancetaylor, I would prefer to keep this as a separate issue. Given that we already do embed some version information, we can consider whether to add a flag to omit that information separately from whether we expand that information.

(#37475 is about expanding the existing version information, and this issue is about redacting it.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.