Conversation
vendor.mod
Outdated
| google.golang.org/genproto => google.golang.org/genproto v0.0.0-20200227132054-3f1135a288c9 | ||
| google.golang.org/grpc => google.golang.org/grpc v1.27.1 | ||
| gopkg.in/fsnotify.v1 => gopkg.in/fsnotify.v1 v1.4.7 | ||
| archive/tar => ./internal/archive/tar |
There was a problem hiding this comment.
So this actually isn't supported (see golang/go#35283). We need to find a better way to do this, perhaps for now there could be cp -a internal/archive/tar inside of go mod vendor wrapper.
There was a problem hiding this comment.
If we keep the files inside vendor/, does go mod vendor delete them, or does it leave them alone?
also wondering if a symlink would work (although Windows may not be happy with that, I recall there were some issues with Windows and symlinks, but don't recall the details)
There was a problem hiding this comment.
If we keep the files inside
vendor/, doesgo mod vendordelete them, or does it leave them alone?
It deletes them.
also wondering if a symlink would work (although Windows may not be happy with that, I recall there were some issues with Windows and symlinks, but don't recall the details)
The issue with symlinks on Windows is pretty major IMO, a Windows user basically cannot clone a repo with symlinks.
There was a problem hiding this comment.
Maybe I asked before, but why can't we move vendor/archive/tar to an external module such as github.com/moby/sys/archive/tar and just apply s|archive/tar|github.com/moby/sys/archive/tar|g to the moby/moby source?
There was a problem hiding this comment.
I think it might be worse trying as a follow-up, but here the goal is to make the least number of changes.
There was a problem hiding this comment.
@AkihiroSuda In that case, we could as well put it in internal/ in this repository. But I think the reason we didn't "fork" it (but override) is that it may be used indirectly(?). Are we sure that the archive/tar code is never called indirectly (and we would reintroduce the vulnerability?)
errordeveloper
force-pushed
the
go-mod
branch
2 times, most recently
from
48be7a1 to
d98bff4
Compare
|
Also opened docker/docker-ce-packaging#611 to do a quick check if the packaging scripts don't blow up 👍 |
hack/vendor.sh
Outdated
| cat > hack/make/.resources-windows/go.mod << EOF | ||
| module github.com/docker/docker/autogen/winresources/dockerd |
There was a problem hiding this comment.
For this I can open a PR to implement goversioninfo like it has been done in docker/cli#3310 so you would not need to add this hack. WDYT @thaJeztah?
There was a problem hiding this comment.
Yes, would be great if we could used the same tool.
I'm ok with a temporary hack like this (if it works in the meantime)
There was a problem hiding this comment.
I think it'd be good as a follow-up, but doesn't seem like a blocker...
errordeveloper
force-pushed
the
go-mod
branch
2 times, most recently
from
454c66a to
9e83d6c
Compare
|
This should be good as far as I'm concerned, but let's see what CI might bring... |
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
Thanks! Did some quick testing, and looks like there may be some issues (see comments)
errordeveloper
force-pushed
the
go-mod
branch
7 times, most recently
from
85051f9 to
2ab6dcc
Compare
errordeveloper
force-pushed
the
go-mod
branch
from
2ab6dcc to
3274205
Compare
errordeveloper
force-pushed
the
go-mod
branch
3 times, most recently
from
18c3503 to
dc7a938
Compare
This comment has been minimized.
This comment has been minimized.
errordeveloper
force-pushed
the
go-mod
branch
from
edee5ed to
47f86be
Compare
|
I noticed that the temporary |
Maybe, but I am not quite sure why this matters. With these files written one can actually use |
Ah, good point as well, didn't think of that |
|
One caveat with that is that it still requires the |
I guess the way I think about this is that new sub-decencies are not a major concern, as long as these aren't actually imported, which I checked for this PR. |
|
@thaJeztah thanks for sharing |
🤦 I always forget the empty line; should be fixed now |
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
When I run hack/validate/vendor inside the container the vendor.sum file changes significantly. But the validation script itself returns with 0 exit code.
| golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect | ||
| google.golang.org/api v0.46.0 // indirect | ||
| google.golang.org/appengine v1.6.7 // indirect | ||
| honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc // indirect |
There was a problem hiding this comment.
I see we are now vendoring some new packages that actually never get called. Nothing we can do about it?
There was a problem hiding this comment.
No, don't think so unfortunately. Some of these may be test dependencies or a dependency using a "tools.go" file to force it being included. (also see my comment above)
hack/validate/vendor
Outdated
| IFS=$'\n' | ||
| # shellcheck disable=SC2207 | ||
| files=( $(validate_diff --diff-filter=ACMR --name-only -- 'vendor.conf' 'vendor/' || true) ) | ||
| files=( $(validate_diff --diff-filter=ACMR --name-only -- 'vendor.sum' 'vendor.mod' 'vendor/' || true) ) |
There was a problem hiding this comment.
@tonistiigi thanks for checking this, well spotted! I have looked into this and it doesn't seem to detect uncommitted changes to any of these files, it seems to be just getting a list of files that changed between origin/HEAD and HEAD.
When I ran bash -x hack/validate/vendor, the command it called was this:
+ git diff 088afc99e4bf8adb78e29733396182417d67ada2...0089b1ffb718e9c413a0687dd714dfc5c0829cb4 --diff-filter=ACMR --name-only -- vendor.sum vendor.mod vendor/
Where 088afc9 is what's in master right now, and 0089b1f is the head of my branch.
I think that changing the way this script functions would be out of scope for this PR, so I'd rather leave it as is. I know that overall diff in this script is quite big already, but I was aiming to avoid changing the logic of the checks.
There was a problem hiding this comment.
Doesn't at least line 21 need vendor.mod and vendor.sum as well?
There was a problem hiding this comment.
Doesn't at least line 21 need
vendor.modandvendor.sumas well?
You are right, that looks like where detection of uncommitted changes happens.
I can also see what validate_diff is all about, it checks what files changed in HEAD vs origin/HEAD.
I just tend to use git diff to check for uncommitted changes, so I too quickly assumed that's what validate_diff might be for, the function name isn't very specific...
There was a problem hiding this comment.
I've updated this script just now.
errordeveloper
force-pushed
the
go-mod
branch
from
0089b1f to
2e64c14
Compare
I've committed an update to |
- use `vendor.mod` instead of `go.mod` to avoid issues to do with use of CalVer, not SemVer - ensure most of the dependency versions do not change - only zookeeper client has to change (via docker/libkv#218) as previously used version is no longer maintained and has missing dependencies Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
errordeveloper
force-pushed
the
go-mod
branch
2 times, most recently
from
ba0a704 to
38fe32e
Compare
- all changes here are attributed to difference in behaviour between, namely: - resolution of secondary test dependencies - prunning of non-Go files Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
errordeveloper
force-pushed
the
go-mod
branch
from
38fe32e to
2a6c38e
Compare
thaJeztah
added
area/project
kind/refactor
|
@errordeveloper I was a bit in doubt in which order we should merge the PR's; #42247 was green now (with the test-fixes merged), and has some commits that remove a couple of dependencies. I gave it a quick try to rebase this (your) PR on top of that one, to see how easy we can do a rebase (and update the I can also do a try to see what the "reverse" will look like (have not tried yet) |
|
@thaJeztah ok, do give it a go! I can pick this back up on Friday, if needed. |
|
closing in favour of #43101 |
6 participants
No description provided.