Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: enable injection of build version info #59019

deitch opened this issue Mar 14, 2023 · 2 comments

cmd/go: enable injection of build version info #59019

deitch opened this issue Mar 14, 2023 · 2 comments


Copy link

deitch commented Mar 14, 2023

This is somewhat related to #44469

I compile a binary with go. I distribute it. go, in its helpfulness, includes lots of information about modules and their versions, e.g. from dlv:

$ go version -m ./dlv
./dlv: go1.20.1
	mod	(devel)
	dep	v0.1.0	h1:BVDiEL32lwHukgJKP87btEPenzrrHUjajs/8yzaqcXg=
	dep	v2.0.0	h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM=
	dep	v0.0.0-20221213183930-4c74548207f4
	dep	v1.2.3-0.20220127212407-d32d89dd2a5d	h1:pxjSLshkZJGLVm0wv20f/H0oTWiq/egkoJQ2ja6LEvo=
	dep	v0.6.0	h1:Y1RHGUtv3R8y6sXq2dtGRMYrFB2hSqyFVws7jucrzX4=
	dep	v0.5.4	h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=

Except for the module itself, which just shows (devel).

The compiled binary carries with it all of its dependency version and source information, but only package name for the root module itself. This makes it of much less usefulness for sbom and software supply-chain and provenance tools.

The build process populates BuildInfo, but leaves the version blank.

I recall seeing a discussion earlier about not wanting to depend on external tools; I get that. It might even be a good enough start if there were a "hook" that let you add that information, whether a flag or even the usual -X something=v1.2.3 (although calculating if it is a tag or a pseudo-version and what that is also appears not to be in an obviously exposed package).

  1. Ideal: go build figures out, "I am running in a git repo at a specific commit, I will figure out my version or pseudo-version and put it in"
  2. Below: go build provides an option to do it, something like --module-version=auto (to auto-populate) or --module-version=v1.2.3
  3. Below: it provides a -X flag that can be used, e.g. -ldflags '-X runtime.BuildInfo.Version=v1.2.3', although that leaves it on the user to figure out what that version or pseudo-version is
Copy link

Duplicate of #50603

@seankhliao seankhliao marked this as a duplicate of #50603 Mar 14, 2023
@seankhliao seankhliao closed this as not planned Won't fix, can't repro, duplicate, stale Mar 14, 2023
Copy link

deitch commented Mar 14, 2023

Dang that was quick. Thanks @seankhliao .

I would have just commented on that issue, but so hard to find. GitHub needs better search.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

2 participants