Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Towards better versioning policy #290

Open
gaukas opened this issue Apr 2, 2024 · 4 comments
Open

Towards better versioning policy #290

gaukas opened this issue Apr 2, 2024 · 4 comments
Assignees
Labels
blocker Must be resolved before new tagged version help wanted Calling for community PR/volunteer

Comments

@gaukas
Copy link
Contributor

gaukas commented Apr 2, 2024

As discussed before, to reduce the extra workload and confusion in maintaining uTLS across multiple different Go versions, uTLS is set to support the top 2 MOST RECENT Go (minor) versions. e.g., for April 02, 2024, the latest Go version is Go 1.22.1 so we will support Go 1.21 and Go 1.22. That is to say, once uTLS bump up the minimum version required to go 1.21, Go 1.20 and older version of Go will no longer be able to build and run programs built with uTLS as a dependency.

We also acknowledge and are deeply concerned about another issue mentioned in #249, that past updates to uTLS have broken backward compatibility for a few times for various reason, causing old code no longer compile with newer version of uTLS. While there are human errors in the maintainers of uTLS by mistakenly removing/renaming public interfaces, other uncontrollable factors such as crypto/tls making breaking changes to their function signature or crypto/tls exporting a type in a name existing in uTLS are more concerning.

Onward, here's a few possible versioning policies we can adopt, with pros and cons for each:

  • Strict Versioning Policy: Whenever there is a minimum Go version requirement change or change to Type/Interface/Signature, we bump up the MAJOR VERSION (now v1) of uTLS.
    • Pros: There will not be a compatibility issue.
    • Cons: go mod's automated dependency update will not work at all.
  • Moderate Versioning Policy: Do not bump up MAJOR VERSION for minimum Go version requirement changes. Do bump up MAJOR VERSION when Type/Interface/Signature changes or "could have changed".
    • Pros: At a certain degree we allow go mod continue to work.
    • Cons: It could be non-trivial to detect if there's an API breaking change if it is from upstream and got merged when we sync.
  • Relaxed Versioning Policy: We keep uTLS in v1 and reserve v2 for a groundbreaking update, which may or may not occur in the near future.
    • Pros: it is always possible to use go mod and dependents of uTLS can be updated anytime.
    • Cons: when API is broken, direct dependents of uTLS which also imports other dependents of uTLS may fail to compile if the old (broken by new version) API of uTLS is used in the imported dependents.
@gaukas gaukas self-assigned this Apr 2, 2024
@gaukas gaukas added help wanted Calling for community PR/volunteer blocker Must be resolved before new tagged version labels Apr 2, 2024
@VeNoMouS
Copy link
Contributor

VeNoMouS commented Apr 3, 2024

Re: crypto/tls ..

Let's not forget that whole debate about switching to cloudflares branch of crypto/tls due to their work/changes on ECH etc

@gaukas
Copy link
Contributor Author

gaukas commented Apr 3, 2024

Let's not forget that whole debate about switching to cloudflares branch of crypto/tls due to their work/changes on ECH etc

Only if cloudflare can stop rebasing their commits 😅

Unlike us, cloudflare rebase their changes/commits on top of latest main branch of golang/go (ir)regularly, which is pretty tricky to maintain since we are also making changes based on theirs.

@bassosimone
Copy link

Thanks for opening this issue, @gaukas!

Regarding this:

Cons: go mod's automated dependency update will not work at all.

I assume you mean that go get -u -v ./... will stop updating, is that correct?

I don't know if it's helpful, but I have been recently using https://github.com/icholy/gomajor to check whether I need to upgrade to major versions of OONI dependencies.

bassosimone added a commit to ooni/probe-cli that referenced this issue May 13, 2024
I've used both `gomajor` and `go get -u -v ./...` to update all the
dependencies I could.

It still feels impossible to upgrade snowflake because of the
incompatible dependency with Psiphon (I previously described this issue
at refraction-networking/utls#249 and there
has been some very useful and much appreciated follow-up discussion at
refraction-networking/utls#290, which possibly
will lead to solving the whole issue, which is contingent to current
uTLS versions used by Psiphon and Snowflake, in a systemic and more
fundamental way).

Part of ooni/probe#2722.
@gaukas
Copy link
Contributor Author

gaukas commented May 13, 2024

Hi @bassosimone, thanks for the reply. Yes, that's exactly what I meant.

While third-party tools (such as the one you mentioned, icholy/gomajor could be quite helpful in this case, it is obviously that automated procedures such as go get -u -v ./... or GitHub dependabot will be impacted. And we just cannot simply assume/suggest all importing parties should use any certain third-party tool.

For now I am leaning towards the last two options, with a strong preference in tagging a v2 in the very near future to first address all the existing forward compatibility problems once-and-for-all, which would at least buy us some time in figuring out a more proper long-term solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker Must be resolved before new tagged version help wanted Calling for community PR/volunteer
Projects
None yet
Development

No branches or pull requests

3 participants