Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: enable injection of build version info #59019

Closed
deitch opened this issue Mar 14, 2023 · 2 comments
Closed

cmd/go: enable injection of build version info #59019

deitch opened this issue Mar 14, 2023 · 2 comments
Labels

Comments

@deitch
Copy link

deitch commented Mar 14, 2023

This is somewhat related to #44469

I compile a binary with go. I distribute it. go, in its helpfulness, includes lots of information about modules and their versions, e.g. from dlv:

$ go version -m ./dlv
./dlv: go1.20.1
	path	github.com/go-delve/delve/cmd/dlv
	mod	github.com/go-delve/delve	(devel)
	dep	github.com/cosiner/argv	v0.1.0	h1:BVDiEL32lwHukgJKP87btEPenzrrHUjajs/8yzaqcXg=
	dep	github.com/cpuguy83/go-md2man/v2	v2.0.0	h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
	dep	github.com/derekparker/trie	v0.0.0-20221213183930-4c74548207f4
	dep	github.com/go-delve/liner	v1.2.3-0.20220127212407-d32d89dd2a5d	h1:pxjSLshkZJGLVm0wv20f/H0oTWiq/egkoJQ2ja6LEvo=
	dep	github.com/google/go-dap	v0.6.0	h1:Y1RHGUtv3R8y6sXq2dtGRMYrFB2hSqyFVws7jucrzX4=
	dep	github.com/hashicorp/golang-lru	v0.5.4	h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
        ...

Except for the module itself, which just shows (devel).

The compiled binary carries with it all of its dependency version and source information, but only package name for the root module itself. This makes it of much less usefulness for sbom and software supply-chain and provenance tools.

The build process populates BuildInfo, but leaves the version blank.

I recall seeing a discussion earlier about not wanting to depend on external tools; I get that. It might even be a good enough start if there were a "hook" that let you add that information, whether a flag or even the usual -X something=v1.2.3 (although calculating if it is a tag or a pseudo-version and what that is also appears not to be in an obviously exposed package).

  1. Ideal: go build figures out, "I am running in a git repo at a specific commit, I will figure out my version or pseudo-version and put it in"
  2. Below: go build provides an option to do it, something like --module-version=auto (to auto-populate) or --module-version=v1.2.3
  3. Below: it provides a -X flag that can be used, e.g. -ldflags '-X runtime.BuildInfo.Version=v1.2.3', although that leaves it on the user to figure out what that version or pseudo-version is
@seankhliao
Copy link
Member

Duplicate of #50603

@seankhliao seankhliao marked this as a duplicate of #50603 Mar 14, 2023
@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Mar 14, 2023
@deitch
Copy link
Author

deitch commented Mar 14, 2023

Dang that was quick. Thanks @seankhliao .

I would have just commented on that issue, but so hard to find. GitHub needs better search.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants