Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

all: update standard-library dependencies at the start and end of each development cycle #36905

Open
bcmills opened this issue Jan 30, 2020 · 105 comments
Labels
early-in-cycle A change that should be done early in the 3 month dev cycle. NeedsFix The path to resolution is known, but the work has not been done. recurring Issues that should never be closed, but moved to the next milestone once fixed in the current one. release-blocker
Milestone

Comments

@bcmills
Copy link
Contributor

bcmills commented Jan 30, 2020

The x dependencies vendored into the standard library (via src/go.mod and src/cmd/go.mod) should be updated for each code freeze, so that we can apply any needed fixes to those dependencies without also pulling in unnecessary changes or requiring significant backporting work (see, for example, #36851).

This task, like #11811, #12042, and the API audit (#36167, #32813), should occur regularly in each development cycle. Probably we should update the dependencies at the beginning of each code freeze, and again when we reopen the tree at the end of each code freeze.

CC @golang/osp-team

@bcmills bcmills added this to the Go1.15 milestone Jan 30, 2020
@bcmills bcmills added NeedsFix The path to resolution is known, but the work has not been done. early-in-cycle A change that should be done early in the 3 month dev cycle. labels Jan 30, 2020
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/217517 mentions this issue: all: update module dependencies

@dmitshur
Copy link
Contributor

This issue is currently labeled as early-in-cycle for Go 1.15. That time is now, so friendly ping.

gopherbot pushed a commit that referenced this issue Feb 19, 2020
Updates #36905
Updates #36907

Change-Id: I293dcef67800d5c81ff3a254bbd49309c5880710
Reviewed-on: https://go-review.googlesource.com/c/go/+/217517
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@bcmills bcmills removed the early-in-cycle A change that should be done early in the 3 month dev cycle. label Feb 19, 2020
@bcmills
Copy link
Contributor Author

bcmills commented Feb 19, 2020

Completed the early-in-cycle update for the 1.15 cycle. Removing the label so we remember to revisit at the close of the cycle.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/231657 mentions this issue: all: update module dependencies

gopherbot pushed a commit that referenced this issue May 4, 2020
The Go 1.15 code freeze has just started. This is the time to update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

Those versions have already gone through code review, and now they
will undergo additional testing during the freeze period.
If there are new issues in these dependencies discovered, we have
the freeze period to deal with that. By the end of the freeze period,
we will have confidence that the Go 1.15 release and the dependency
versions it has selected are robust.

If one of the Go 1.15.x minor releases requires changing code in one of
the vendored packages, we'll be able to do so on top of the versions
that are selected here, and not be forced to use versions that came
from different time periods, or try to jump across multiple untested
versions in a minor release.

The dependency versions that are selected in this commit are:

	github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3
	github.com/ianlancetaylor/demangle v0.0.0-20200414190113-039b1ae3a340
	golang.org/x/arch v0.0.0-20200312215426-ff8b605520f4
	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
	golang.org/x/mod v0.2.1-0.20200429172858-859b3ef565e2
	golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5
	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
	golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530
	golang.org/x/tools v0.0.0-20200504152539-33427f1b0364
	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543

github.com/ianlancetaylor/demangle is considered in scope and updated.
github.com/google/pprof is out of scope and was not updated.

For #36905.

Change-Id: Icb6996eb0df11f16edd9a42e04434012c0336354
Reviewed-on: https://go-review.googlesource.com/c/go/+/231657
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@dmitshur
Copy link
Contributor

dmitshur commented May 4, 2020

Completed the start-of-freeze update for the 1.15 cycle in CL 231657. Moving to 1.16 milestone and adding early-in-cycle.

@dmitshur dmitshur modified the milestones: Go1.15, Go1.16 May 4, 2020
@dmitshur dmitshur added the early-in-cycle A change that should be done early in the 3 month dev cycle. label May 4, 2020
@dmitshur dmitshur removed their assignment May 4, 2020
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/234002 mentions this issue: cmd: update golang.org/x/mod to v0.3.0 (same commit)

gopherbot pushed a commit that referenced this issue May 18, 2020
v0.3.0 is a tag on 859b3ef565e2, the version that was already being
used. This change is a no-op, except for letting us use a release
version instead of a pseudo-version.

For #36905

Change-Id: I70b8ce2a3f1451f5602c469501362d7a6a673b12
Reviewed-on: https://go-review.googlesource.com/c/go/+/234002
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Michael Matloob <matloob@golang.org>
xujianhai666 pushed a commit to xujianhai666/go-1 that referenced this issue May 21, 2020
The Go 1.15 code freeze has just started. This is the time to update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

Those versions have already gone through code review, and now they
will undergo additional testing during the freeze period.
If there are new issues in these dependencies discovered, we have
the freeze period to deal with that. By the end of the freeze period,
we will have confidence that the Go 1.15 release and the dependency
versions it has selected are robust.

If one of the Go 1.15.x minor releases requires changing code in one of
the vendored packages, we'll be able to do so on top of the versions
that are selected here, and not be forced to use versions that came
from different time periods, or try to jump across multiple untested
versions in a minor release.

The dependency versions that are selected in this commit are:

	github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3
	github.com/ianlancetaylor/demangle v0.0.0-20200414190113-039b1ae3a340
	golang.org/x/arch v0.0.0-20200312215426-ff8b605520f4
	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
	golang.org/x/mod v0.2.1-0.20200429172858-859b3ef565e2
	golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5
	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
	golang.org/x/text v0.3.3-0.20200430171850-afb9336c4530
	golang.org/x/tools v0.0.0-20200504152539-33427f1b0364
	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543

github.com/ianlancetaylor/demangle is considered in scope and updated.
github.com/google/pprof is out of scope and was not updated.

For golang#36905.

Change-Id: Icb6996eb0df11f16edd9a42e04434012c0336354
Reviewed-on: https://go-review.googlesource.com/c/go/+/231657
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
@andybons andybons added the recurring Issues that should never be closed, but moved to the next milestone once fixed in the current one. label Jul 30, 2020
@dmitshur
Copy link
Contributor

This issue is currently labeled as early-in-cycle for Go 1.16.
That time is now, so this is a friendly ping so the issue is looked at again.

@dmitshur
Copy link
Contributor

I'm creating a short program that performs this task. Using a program makes it easier to precisely define our update policy, and adjust it over time as needed. It also makes this task less error prone and easier to review. Finally, this can help with #41409 and #36852.

The policy I'm implementing right now is informed by the strategy we used in past manual CLs (e.g., CL 231657), with small adjustments. The policy is for all modules in the GOROOT/src directory (currently, std and cmd), update all direct (not indirect) modules with the import path prefix "golang.org/x/" to their latest tip pseudo-version (which can later become tagged as a release version).

The small adjustment is that the github.com/ianlancetaylor/demangle module won't be automatically updated as part of this process. My rationale is that it's different enough that it probably warrants being updated on its own schedule, when there is an explicit need. /cc @ianlancetaylor

Indirect golang.org/x dependencies are not updated, although they could be. I'm going with the more conservative choice for now. I'm open to feedback on this, and can see pros/cons to both strategies.

I've also considered but left out other modules in the GOROOT tree (e.g., GOROOT/misc) for now.

@dmitshur
Copy link
Contributor

Indirect golang.org/x dependencies are not updated, although they could be. I'm going with the more conservative choice for now. I'm open to feedback on this, and can see pros/cons to both strategies.

Looks like we did update indirect dependencies last time. If we don't, it leaves much fewer dependencies to update, because the go.mod files of golang.org/x modules aren't being updated very often.

Will think more about it and likely go with what we did last time as the next step here.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/255859 mentions this issue: misc/update: add program to update golang.org/x dependencies

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/255860 mentions this issue: all: update vendored dependencies during Go 1.15 development

@dmitshur dmitshur changed the title all: update standard-library dependencies at the start and end of each code freeze all: update standard-library dependencies at the start and end of each development cycle Sep 18, 2020
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/256357 mentions this issue: cmd/updatestd: add program to maintain standard library modules

@gopherbot
Copy link
Contributor

This issue is currently labeled as early-in-cycle for Go 1.24.
That time is now, so a friendly reminder to look at it again.

@dmitshur dmitshur self-assigned this Jul 23, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/600535 mentions this issue: all: update vendored dependencies

gopherbot pushed a commit that referenced this issue Jul 23, 2024
The Go 1.24 development tree has opened. This is a time to update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

For #36905.

[git-generate]
go install golang.org/x/build/cmd/updatestd@latest
go install golang.org/x/tools/cmd/bundle@latest
updatestd -goroot=$(pwd) -branch=master

Change-Id: I5a012af9f041f79ab4d5b30569a154e0c2d1617e
Reviewed-on: https://go-review.googlesource.com/c/go/+/600535
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/600596 mentions this issue: cmd/pprof: update vendored github.com/google/pprof

@dmitshur
Copy link
Contributor

CL 600535 did the early-in-cycle update for Go 1.24.
(Also sent CL 600596 to update a pprof dependency.)
Removing that label to revisit this when the freeze starts.

@dmitshur dmitshur removed the early-in-cycle A change that should be done early in the 3 month dev cycle. label Jul 23, 2024
@dmitshur dmitshur removed their assignment Jul 23, 2024
gopherbot pushed a commit that referenced this issue Jul 23, 2024
Pull in the latest published version of github.com/google/pprof
as part of the continuous process of keeping Go's dependencies
up to date.

For #36905.

[git-generate]
cd src/cmd
go get github.com/google/pprof@v0.0.0-20240722153945-304e4f0156b8
go mod tidy
go mod vendor

Change-Id: If009cff7f2d99ec58315102963cbe07b6739c09a
Reviewed-on: https://go-review.googlesource.com/c/go/+/600596
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/623821 mentions this issue: all: update golang.org/x/sys to pull in CL 614082 [generated]

gopherbot pushed a commit that referenced this issue Nov 5, 2024
A part of the keeping Go's vendored dependencies and generated code
up to date.

For #36905.

[git-generate]
cd src
go get golang.org/x/sys@v0.26.1-0.20241105152852-e0753d469443
go mod tidy
go mod vendor
cd cmd
go get golang.org/x/sys@v0.26.1-0.20241105152852-e0753d469443
go mod tidy
go mod vendor
go generate syscall internal/syscall/...

Change-Id: Ia84505f8934399f7c4518c6218892b81d30e5c17
Cq-Include-Trybots: luci.golang.try:gotip-linux-amd64-longtest
Reviewed-on: https://go-review.googlesource.com/c/go/+/623821
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631035 mentions this issue: all: update golang.org/x/net [generated]

gopherbot pushed a commit that referenced this issue Nov 22, 2024
A part of the keeping Go's vendored dependencies and generated code
up to date.

This updates h2_bundle.go with unencrypted HTTP/2 support.

For #36905.
For #67816.

[git-generate]
cd src
go get golang.org/x/net@v0.31.0
go mod tidy
go mod vendor
cd cmd
go get golang.org/x/net@v0.31.0
go mod tidy
go mod vendor
go generate -run=bundle std

Change-Id: I2b77f651b990f260fbe7d551c7a819518f1c983f
Reviewed-on: https://go-review.googlesource.com/c/go/+/631035
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631336 mentions this issue: all: update vendored dependencies [generated]

gopherbot pushed a commit that referenced this issue Nov 22, 2024
The Go 1.24 code freeze has recently started. This is a time to update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

For #36905.

[git-generate]
go install golang.org/x/build/cmd/updatestd@latest
go install golang.org/x/tools/cmd/bundle@latest
updatestd -goroot=$(pwd) -branch=master

Change-Id: I1b2e3b63ccc1137256d80c882b99ed26a66cbf6b
Reviewed-on: https://go-review.googlesource.com/c/go/+/631336
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/634041 mentions this issue: all: update vendored dependencies [generated]

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

I can't currently make progress on this because of an unexpected new vendored dependency, golang.org/x/sys/unix. This was added in CL 632816 and contradicts an explicit decision in the past to not vendor this package ((#32102). (Thanks goes to @dmitshur for figuring this out and cross-referencing everything.)

We either need to roll back that CL or change the policy. CC @ianlancetaylor

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

Also, I think that this is currently blocking the RC.

@cherrymui
Copy link
Member

If we want to unblock the RC, we probably can vendor to the commit right before that CL for the RC? That is probably still recent enough, so we get most of the updates in the x reops?

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

That's fine with me, but do we have tooling to do this? Or would this have to happen manually? AFAICT updatestd doesn't let me actually select a specific commit for different subrepos.

@dmitshur
Copy link
Contributor

dmitshur commented Dec 6, 2024

Anything other "pick latest versions of all x/ repos" does need some manual intervention. You could still use updatestd, just followed by a go get golang.org/x/net@{pseudo-version before CL 632816}. (Note that updatestd is little more than a convenience command that runs go get ...; go mod tidy; go mod vendor.)

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

I think I am coming to the conclusion that I'd rather roll back the x/net changes. The longer we wait to do so, if we decide not to change the policy, the harder it becomes to revert everything.

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

Reverts landed and I'm unblocked.

gopherbot pushed a commit that referenced this issue Dec 6, 2024
The Go 1.24 RC is due for next week. This is a time to once again update
all golang.org/x/... module versions that contribute packages to the
std and cmd modules in the standard library to latest master versions.

For #36905.

[git-generate]
go install golang.org/x/build/cmd/updatestd@latest
go install golang.org/x/tools/cmd/bundle@latest
updatestd -goroot=$(pwd) -branch=master

Change-Id: If4fd03a18590ff3b6e701a9698370c57c69979c2
Reviewed-on: https://go-review.googlesource.com/c/go/+/634041
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
@dmitshur
Copy link
Contributor

dmitshur commented Dec 6, 2024

CL 634041, CL 631336, and CL 626995 took care of the start-of-freeze updates for the Go 1.24 cycle. There may still be more updates to the vendored packages if they're needed to resolve release-blocking issues, but there aren't regularly scheduled updates in scope of this issue left.

@mknyszek Okay to move this to the Go 1.25 milestone, and add early-in-cycle?

@mknyszek
Copy link
Contributor

mknyszek commented Dec 6, 2024

Yes, I think we're good.

@mknyszek mknyszek modified the milestones: Go1.24, Go1.25 Dec 6, 2024
@mknyszek mknyszek added the early-in-cycle A change that should be done early in the 3 month dev cycle. label Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
early-in-cycle A change that should be done early in the 3 month dev cycle. NeedsFix The path to resolution is known, but the work has not been done. recurring Issues that should never be closed, but moved to the next milestone once fixed in the current one. release-blocker
Projects
Status: No status
Development

No branches or pull requests