-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/pkgsite: too many users are filing package removal requests #55834
Comments
We've seen the case where the repository is already gone so there is no place to publish version for retraction. (e.g. github id change, domain name change, ...) Other than that I don't see the case. Good idea. Please send a PR. In the second paragraph, I'd suggest explicitly call out the fact that removal from pkgsite doesn't remove the versions or modules from the module proxy.
|
Perhaps there should be separate section headings for "Removing a package" and "Removing a version of a package", with the latter giving the exact steps to take in the common case of recovering from an accidentally pushed version tag. |
I see, thanks. I'll amend the text.
Did you mean the third paragraph, where we talk about
Personally, I wouldn't do that split. The difference between what a user sees on pkg.go.dev and what they get via If anything, we could call the two sections "removing a package's documentation" and "removing versions of a package", but I think the vast majority of people will want to do more than just hiding the documentation pages. |
Maybe it's worth mentioning that you should immediately delete the tag from the remote if you realize you pushed the wrong tag, and realize that very soon after. If you catch it before anyone downloads it, you can actually delete it. |
At some point I wrote a blog post trying to enumerate the common cases. I've since learned about shorter starting pseudoversions and that retractions work even without matching module names (??). I get the feeling that the only removal requests that need manual action should be when repos have been removed. |
Change https://go.dev/cl/443341 mentions this issue: |
Change https://go.dev/cl/443400 mentions this issue: |
For golang/go#55834. Change-Id: I085414053ab4cdfb228aa622bd4e08eca2cc44b9 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/443341 Run-TryBot: Jamal Carvalho <jamal@golang.org> Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com>
Borrowed from https://seankhliao.com/blog/12021-10-17-go-mod-retract/ Updates golang/go#55834. Change-Id: I10883a74f16caad6b62937778b09286cfd2d76d5 Reviewed-on: https://go-review.googlesource.com/c/website/+/443400 Reviewed-by: Jamal Carvalho <jamal@golang.org> Reviewed-by: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Hyang-Ah Hana Kim <hyangah@gmail.com>
Say I mistakenly pushed a git tag on a Go module of mine, and now I can see it on pkg.go.dev. I only know the basics about Go modules, so I am not yet familiar with retractions. From the home page of pkg.go.dev, I find https://pkg.go.dev/about#removing-a-package:
Presumably, this should lead me to publish a module retraction, not to file a request. However, plenty of requests are filed regularly. I've always had the suspicion that the majority of those should be fixed with retractions instead, so I engaged with one of them. And indeed I think this particular user wants to use a retraction; they want to entirely take back a v1.0.0 tag from their users, not simply hide the documentation.
Assuming that all of these users are filing issues by following the pkg.go.dev docs as shown above, I think the docs are confusing. They should better clarify that:
A retraction is almost always what the user should do. In fact, I struggle to imagine what the site means by "If you cannot retract your module". If we have an edge case in mind, I would call it out explicitly. If not, I would remove the alternative entirely.
Removing a package from pkg.go.dev only hides the documentation. The Go module and version will still work for
go get pkg@latest
requests, which I think is a pretty common concern amongst users. For example, the particular issue above is about having pushed a v1.0.0 tag when the module is meant to be a v0. The wording should be clearer.It's true that the link points to an issue template which explains this in an HTML comment, but by that point the user has already made the choice to not retract. Plus, can we trust the user to read the entire template carefully before filling the form? :)
How to retract the latest version in a clean way. https://go.dev/ref/mod does say:
That is, to retract a v1.0.0, it is possible to publish a v1.0.1 which retracts both versions. The user can follow the links to the blog post or docs, but they have to do quite a lot of reading to find the few important sentences.
In fact, I would remove the link to the blog post, because the link to the modules reference already overlaps with its information. Plus, the example shown in the blog post is rather simple - it does not cover how to retract the latest version, for example.
--
I propose new wording. Lengthier, but hopefully clearer.
Note the TODO per the point 1 above.
Also note that I explicitly call out that retracted versions cannot be used again. I think this is a common misunderstanding: inexperienced Go users think that they can remove or retract a Go module or version, to then "start fresh" as if that package or version was never published. That is usually not true. Perhaps this should also be called out in https://go.dev/ref/mod#go-mod-file-retract.
cc @bcmills @seankhliao @julieqiu
The text was updated successfully, but these errors were encountered: