Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"go get" installs outdated Dex v2.13.0 and refuses to install latest v2.26.0 #1857

Closed
heidemn opened this issue Nov 7, 2020 · 3 comments
Closed

"go get" installs outdated Dex v2.13.0 and refuses to install latest v2.26.0 #1857

heidemn opened this issue Nov 7, 2020 · 3 comments

Comments

@heidemn
Copy link

heidemn commented Nov 7, 2020
edited
Loading

Expected behavior (what you expected to happen):
I understand that Dex v2.26.0 is the latest release. There also exists a Git tag with that exact name.
-> Expected: go get installs latest Dex version v2.26.0.
Also expected: One can choose the version to install using go get github.com/dexidp/dex@<VERSION>

Usage of go get is also suggested here: https://github.com/dexidp/website/blob/main/content/docs/getting-started.md

I know that I can manually check out the Dex repo where go get would put it, but it seems to me that go get should by default provide the most recent release.

Actual behavior (what actually happened):
go get installs outdated Dex version v2.13.0.
It complains when trying to explicity install v2.26.0.

Steps to reproduce:

$ go version
go version go1.15.4 windows/amd64

$ go mod init module
go: creating new go.mod: module module

$ go get github.com/dexidp/dex
go: downloading github.com/dexidp/dex v0.6.1
go: github.com/dexidp/dex upgrade => v2.13.0+incompatible
go build github.com/dexidp/dex: no non-test Go files in 
  C:\Users\...\go\pkg\mod\github.com\dexidp\dex@v2.13.0+incompatible

$ cat go.mod
module module

go 1.15

require github.com/dexidp/dex v2.13.0+incompatible // indirect

$ cat go.sum
github.com/dexidp/dex v0.6.1 h1:8cMvsPai2Eey6Ly77AMv/yO0Mlb8P4wVJHQW6rb9y68=
github.com/dexidp/dex v2.13.0+incompatible h1:EQPpzCi51omkwBe0KYpRGaV3rk6CVvjcqeMGCe3Q00w=
github.com/dexidp/dex v2.13.0+incompatible/go.mod h1:cRGkPWqKhDD1FMCICe2JbYDdVR2xGLa38F6iuH/jNAs=

$ go get github.com/dexidp/dex@v2.26.0
go get github.com/dexidp/dex@v2.26.0: github.com/dexidp/dex@v2.26.0:
  invalid version: module contains a go.mod file, so major version must be compatible:
  should be v0 or v1, not v2

Environment:

  • Go 1.15.4 on Windows (same with Go 1.13 on Linux)
  • Same behavior with or without GO111MODULE=on
  • Dex version: v2.13.0 / v2.26.0
  • Installation type (official docker image, helm chart, etc.): go get
@nabokihms
Copy link
Member

Hello! This is how go modules works. Dex 2.13 is the latest version that didn't use them.
However, downloading Dex via go get by commit hash should work for you. To get Dex 2.26.0:

go get -v github.com/dexidp/dex@71bbbee0752781a65d7f9dde198d58f97ddec097

This is the best way if you want to use Dex as a library.

Another way (if you want just to download the repo) is to run go get outside of the directory, which contains the go.mod file. It then will download Dex to your $GOPATH (the latest master branch).

P.S. It's unclear to me why do you want to use Dex as a package. Please, could you share your use case?

@sagikazarmark
Copy link
Member

This was reported before: #1710

Unfortunately (or not?) this is not something we can address in the v2 release branch, simply because of how Go modules work. (It would require us to add a /v2 suffix to the module name, but it would actually require a new major version at this point).

Additionally, this is not something that we really want to address in the near future. We don't support importing Dex as a library, simply because it's an application. The only reasonable explanation we've heard so far is importing the API itself, which has been addressed by releasing a separate V2 API module: https://github.com/dexidp/dex/releases/tag/api%2Fv2.0.0

So importing the main module is not supported anymore and is not planned to be supported in the near future (although technically you can still install Dex by pointing to a specific commit, but the version won't work). If you have a use case in mind that would require importing the main Dex module, feel free to open a separate issue explaining that use case in detail.

Until then, please use the V2 API (if that's your use case) or fork Dex if you need to make any changes.

Thanks!

@heidemn
Copy link
Author

heidemn commented Nov 8, 2020

Hi, thanks for your explanations.
It makes sense that this doesn't have priority for a project that is primarily an application, not a library.

Our use case was not really to use Dex as a Go library, but instead to keep track in our bill of material that we're using Dex (as an application) in a particular version.
Our software inventory tool supports Go. So checking in a go.mod file referencing Dex into our product's repo would make Dex appear in the list of dependencies.
This allows tracking the license and future CVEs (also of transitive dependencies), which is important for large projects with many dependencies.

Referencing the commit hash directly might also work with our tool, will check this.
Thanks again for all the details provided.

@tuladhar tuladhar mentioned this issue Jul 24, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sagikazarmark @heidemn @nabokihms