Drop Go min patch version #13418
Drop Go min patch version #13418
Conversation
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
| module github.com/docker/compose/v5 | ||
|
|
||
| go 1.24.11 | ||
| go 1.24.3 |
There was a problem hiding this comment.
:sadpanda: looks like some other dependency also set a patch version. Well 🤷♂️
There was a problem hiding this comment.
FWIW 1.24.3 is pretty common due to some breaking behaviors in 1.24.0-1.24.2.
There was a problem hiding this comment.
I don't get the point here. What's wrong with 1.24.11? Why shall we use an older ref?
There was a problem hiding this comment.
The Go version defined in go.mod is currently used to determine which Go version our CI installs.
There was a problem hiding this comment.
The version in go.mod should follow MVS (Minimal Version Selection) and reflect the minimum required version of Go; similar to other dependencies.
For features introduced in a Go "minor" version, that would indeed require updating the version; i.e., if the project uses features that are only available in, say, go1.25, then the go.mod should be updated to go1.25.0, because it won't compile on older versions.
But for the patch version, that's not the case; patch versions should only contain bugfixes, not new features, so it's good to keep it at .0 ("any go1.24.x version can be used to compile this code"); for sure, users should normally use the latest patch release, but that's not up to compose to dictate that.
Currently, compose updates the patch version if compose itself choses to update to a newer version of go, but this caused issues with Azure (and others), who use a hardened version of Go; those versions usually go through some extra verification period before becoming available, but if compose bumps the minor version, it's not possible to build with any older patch version of Go.
There was a problem hiding this comment.
then go.mod should better just declare 1.24 without a patch version, as suggested by https://gitea.com/actions/setup-go#getting-go-version-from-the-gomod-file
There was a problem hiding this comment.
.. as PR description suggests :)
There was a problem hiding this comment.
current versions of go no longer allow omitting the .<patch> entirely; usually it would be set to .0, but in this specific case, go1.24.0, go124.1 and go1.24.2 were broken, so there was a legit reason for some projects to not allow using them.
There was a problem hiding this comment.
right.
I'm fine we change go.mod then, but CI workflow must be updated so we run with latest
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM (but not a maintainer)
|
Our CI set go version used based on go.mod (https://github.com/docker/compose/blob/main/.github/workflows/ci.yml#L201-L204) so this would mean we run CI with an older go runtime, with some potential security concerns |
4 participants
What I did
This PR addresses #13417 (comment)
Related issue
(not mandatory) A picture of a cute animal, if possible in relation to what you did