Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: running go1.23.0 mod vendor on go1.22.6 source unexpectedly vendors golang.org/x/crypto/sha3 #69235

Open
dagood opened this issue Sep 3, 2024 · 3 comments
Assignees
Labels
Milestone

Comments

@dagood
Copy link
Contributor

dagood commented Sep 3, 2024

Go version

go version go1.23.0 linux/amd64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/dagood/.cache/go-build'
GOENV='/home/dagood/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/dagood/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/dagood/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/home/dagood/sdk/go1.23.0'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/home/dagood/sdk/go1.23.0/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/home/dagood/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/home/dagood/git/golang_go/src/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build23445954=/tmp/go-build -gno-record-gcc-switches'

What did you do?

After checking out go1.22.6, in src:

$ go1.22.6 mod vendor
$ git diff
$ go1.23.0 mod vendor
$ git diff

(Used https://pkg.go.dev/golang.org/dl to download both Go versions.)

What did you see happen?

The first git diff has no output. This means go1.22.6's vendor directory is reproducible when I run Go 1.22.6.

The second git diff shows:

diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 9a234e59b1..ce8a7b8441 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -7,6 +7,7 @@ golang.org/x/crypto/cryptobyte/asn1
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
+golang.org/x/crypto/sha3
 # golang.org/x/net v0.19.1-0.20240412193750-db050b07227e
 ## explicit; go 1.18
 golang.org/x/net/dns/dnsmessage

(The golang.org/x/crypto/sha3 source is also added into vendor/.)

What did you expect to see?

I expected reproducible results both times.

I filed this based on https://groups.google.com/g/golang-nuts/c/BEsmO16g37I, where I mentioned why this is what I expected:

I've been working under the assumption that backward compatibility promises would extend to "go mod vendor". This way, developers using 1.23.x and 1.22.x won't have thrashing changes when working on the same module.

@ianlancetaylor ianlancetaylor added the GoCommand cmd/go label Sep 3, 2024
@ianlancetaylor
Copy link
Contributor

CC @matloob @samthanawalla

@matloob matloob added this to the Go1.24 milestone Sep 3, 2024
@dagood
Copy link
Contributor Author

dagood commented Sep 3, 2024

GOROOT='/home/dagood/sdk/go1.23.0'

I tried changing GOROOT to point at the repository directory, and that seems to make go1.23.0 mod vendor reproducible. The golang.org/x/crypto/sha3 seems to be bleeding through from 1.23.0's GOROOT.

I suppose this might be reasonable: go mod treats the imports in the std module as imports of the go1.23.0 standard library because that's what GOROOT is pointing at, so go1.23.0 mod vendor finds those dependencies in that source and vendors them. If this is true, then maybe this is special with std and doesn't affect ordinary Go development.

I'm not sure how this is intended to work, but maybe it's fine if documented in README.vendor?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants