cmd/go: unnecessarily multiple possible pseudo versions for one commit

[hajimehoshi]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.11rc2 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/hajimehoshi/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/hajimehoshi/go"
GOPROXY=""
GORACE=""
GOROOT="/Users/hajimehoshi/sdk/go1.11rc2"
GOTMPDIR=""
GOTOOLDIR="/Users/hajimehoshi/sdk/go1.11rc2/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/hajimehoshi/gotest/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/b7/w11sqqrx7kx6fqfbn24wdsmh0000gn/T/go-build335252993=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Create a project repository with a main.go importing github.com/hajimehoshi/ebiten, and created go.mod. I tested 5 types of go.mod:

module example.com/m

require github.com/hajimehoshi/ebiten v0.0.0-20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.0.0-20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.7.0-alpha.0.20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.8.0-alpha.0.20180819111657-1c088dc8b6d3

module example.com/m

require github.com/hajimehoshi/ebiten v1.9.0-alpha.0.20180819111657-1c088dc8b6d3

Run go1.11rc2 mod tidy with each go.mod

What did you expect to see?

go mod tidy should update the dependency version to v1.8.0-alpha.0.20180819111657-1c088dc8b6d3 since there is a tagged commit v1.8.0-alpha

What did you see instead?

In any cases, go mod tidy didn't update go.mod.

I think especially the case of v1.9.0-... seems dangerous since it might pollute the cache and when I release the version v1.9.0-*, the cache might not work well.

[bcmills]

Note that, in general, a given commit can correspond to multiple tagged versions too: nothing stops you from, say, tagging the same commit as all of v1.8.5, v1.9.0-rc1, and v1.9.0.

[hajimehoshi]

OK, so I fixed the issue title. Thanks!

[thepudds]

I think https://golang.org/cl/174061 would help this as well (by making it deterministic by selecting the semantically highest tag when it first creates a pseudo-version).

However, is part of the complaint here that a human can manually enter different pseudo-versions, and/or that different go.mod files over time might have different pseudo-versions for the same commit if tags are added over time to a single commit?

[thepudds]

@hajimehoshi In your example that you reported here, is it the case that most of the pseudo-versions you tried had the "wrong" semver tag within them for that same commit 1c088dc8b6d3 you kept using, but then go mod tidy did not update those "wrong" pseudo-versions to have correct semver tag within the pseudoversion?

@bcmills Would it be reasonable for go mod tidy to be defined to reach back to the source for any pseudo-version found in go.mod to pick the semantically highest semver tag contained within that commit and update the corresponding pseudo-version within the go.mod? Or at least for go mod tidy to do that update if the pseudo-version found in go.mod has a "wrong" semver tag within it?

CC @rogpeppe

[hajimehoshi]

but then go mod tidy did not update those "wrong" pseudo-versions to have correct semver tag within the pseudoversion?

As far as I remember, correct. Let me double-check later.

[bcmills]

@thepudds, I don't think go mod tidy is the right place for that. (It shouldn't hit the network if the module graph and the package graph are already in alignment and the required modules are already in the local cache.)

We also can't reject versions that are arbitrarily below that implied by parent tags. The same commit may be (for example) tagged as v1.3.0 and v1.2.1 (if it is, say, released as v1.3.0 and subsequently determined to fix a regression in v1.2.0), so it should be possible to name a commit based on any tag it may logically succeed.

However, we probably should reject (that is, refuse to even resolve) pseudo-versions that are above that implied by the highest tag, since that would allow modules to forcibly downgrade dependencies by misrepresenting the version of an old commit.

[gopherbot]

Change https://golang.org/cl/181881 mentions this issue: cmd/go: validate pseudo-versions against module paths and revision metadata

[gopherbot]

Change https://golang.org/cl/182178 mentions this issue: cmd/go/internal/modfetch: re-resolve commit hashes in readDiskStat

[bcmills]

Here is a sample of affected paths, derived from https://index.golang.org:

``` bitbucket.org/dchapes/db a88b39da22e9 2017-01-02 20:58:12 +0000 UTC 2018-08-04 20:58:12 +0000 UTC github.com/BurntSushi/xgb 27f122750802 2016-05-22 18:18:43 +0000 UTC 2016-05-22 22:18:00 +0000 UTC github.com/DeanThompson/ginpprof 3be636683586 2019-04-08 06:31:50 +0000 UTC 2019-04-08 07:07:48 +0000 UTC github.com/StackExchange/wmi cbe66965904d 2019-05-23 21:33:15 +0000 UTC 2019-05-23 21:36:09 +0000 UTC github.com/antihax/optional ca021399b1a6 2018-04-06 19:43:04 +0000 UTC 2018-04-07 02:43:04 +0000 UTC github.com/awalterschulze/gographviz 1e9ccb565bca 2019-02-21 21:06:32 +0000 UTC 2019-03-29 05:28:59 +0000 UTC github.com/bingoohuang/gou bf3d9b2b55aa5840c442284656ed6b15aedc5a25 2019-05-27 05:31:07 +0000 UTC 2019-06-04 08:29:26 +0000 UTC github.com/certifi/gocertifi d2eda7129713 2019-05-06 16:45:43 +0000 UTC 2019-05-06 17:44:09 +0000 UTC github.com/containerd/containerd ceba56893a76 invalid base: "v1.3.0-0.20190321141026-ceba56893a76" github.com/coreos/go-systemd 95778dfbb74e 2019-03-21 10:07:06 +0000 UTC 2019-04-01 02:55:00 +0000 UTC github.com/cpuguy83/go-md2man 691ee98543af 2018-06-19 19:30:05 +0000 UTC 2018-06-19 20:56:30 +0000 UTC github.com/denisenkom/go-mssqldb 731ef375ac02 2019-04-23 18:37:35 +0000 UTC 2019-04-27 21:28:04 +0000 UTC github.com/etcd-io/etcd 35a67024f680 2019-06-03 11:18:07 +0000 UTC 2019-06-03 18:18:07 +0000 UTC github.com/fishy/gcsbucket 618d60fe84e0 2015-04-10 20:54:53 +0000 UTC 2018-02-17 03:18:46 +0000 UTC github.com/fujiwara/ridge 3b8228696ce7 2019-03-12 08:07:41 +0000 UTC 2019-03-12 08:41:19 +0000 UTC github.com/gin-contrib/static c1cdf9c9ec7b 2019-05-11 12:47:41 +0000 UTC 2019-05-11 13:24:12 +0000 UTC github.com/gin-gonic/contrib 7fb7810ed2a0 2019-05-26 02:17:35 +0000 UTC 2019-05-26 02:44:57 +0000 UTC github.com/git-lfs/go-ntlm c5056e7fa066 2019-03-07 20:31:51 +0000 UTC 2019-04-01 17:57:52 +0000 UTC github.com/golang/lint 8f45f776aaf1 2018-12-17 17:45:47 +0000 UTC 2019-02-27 17:43:05 +0000 UTC github.com/golangci/errcheck ef45e06d44b6 2018-10-03 20:33:44 +0000 UTC 2018-12-23 08:41:20 +0000 UTC github.com/golangci/go-tools 35a9f45a5db0 2018-01-09 14:01:46 +0000 UTC 2019-01-24 09:00:46 +0000 UTC github.com/golangci/gofmt 0b8337e80d98 2018-11-05 07:17:33 +0000 UTC 2018-12-22 12:35:16 +0000 UTC github.com/golangci/lint c2187e7932b5 2017-09-08 18:12:59 +0000 UTC 2018-09-02 08:04:04 +0000 UTC github.com/golangci/unparam 7ad9dbcccc16 2018-09-02 11:25:48 +0000 UTC 2018-09-02 11:51:09 +0000 UTC github.com/google/pprof 8358a9778bd1 2019-05-02 14:41:55 +0000 UTC 2019-05-09 08:38:00 +0000 UTC github.com/google/wire 93b1ce745f8d invalid base: "v0.3.0-0.20190611223505-93b1ce745f8d" github.com/hashicorp/hcl2 4b22149b7cef 2019-05-15 22:32:18 +0000 UTC 2019-05-15 22:43:32 +0000 UTC github.com/justinas/alice 03f45bd4b7da 2016-09-10 10:38:22 +0000 UTC 2017-10-23 06:44:55 +0000 UTC github.com/knq/sdhook 4d2800fd245c 2019-05-12 23:18:55 +0000 UTC 2019-05-12 23:42:13 +0000 UTC github.com/mgechev/dots 18fa4c4b71cc 2018-12-28 16:47:30 +0000 UTC 2019-06-03 12:26:14 +0000 UTC github.com/modsdemo/v0tags d69de0386093 invalid base: "v0.9.0-0.20190505141014-d69de0386093" github.com/netlify/netlify-commons c4d04dcc126b invalid base: "v0.17.0-0.20190606095701-c4d04dcc126b" github.com/prometheus/procfs 0c11a8e341bf 2019-05-30 14:28:22 +0000 UTC 2019-05-30 14:47:49 +0000 UTC github.com/prometheus/procfs 3cb620ac02d0 2019-05-28 15:12:40 +0000 UTC 2019-05-28 15:47:54 +0000 UTC github.com/prometheus/procfs 5867b95ac084 2019-05-07 16:40:30 +0000 UTC 2019-05-13 00:39:49 +0000 UTC github.com/prometheus/procfs 65bdadfa96ae 2019-05-29 15:59:44 +0000 UTC 2019-05-29 17:30:44 +0000 UTC github.com/prometheus/procfs 740c07785007 2019-05-03 13:03:16 +0000 UTC 2019-05-06 00:28:11 +0000 UTC github.com/prometheus/procfs 87a4384529e0 2019-04-25 08:29:05 +0000 UTC 2019-04-30 20:53:26 +0000 UTC github.com/prometheus/procfs 9935e8e0588d 2019-05-19 11:10:21 +0000 UTC 2019-05-20 13:46:16 +0000 UTC github.com/prometheus/procfs a7aeb8df3389 2019-05-23 19:31:04 +0000 UTC 2019-05-23 19:40:42 +0000 UTC github.com/prometheus/procfs bbced9601137 2019-02-27 23:14:51 +0000 UTC 2019-02-28 00:09:57 +0000 UTC github.com/prometheus/procfs bc1a522cf7b1 2019-05-22 11:45:15 +0000 UTC 2019-05-23 18:31:34 +0000 UTC github.com/smartystreets/assertions 980c5ac6f3ac 2019-02-15 21:06:24 +0000 UTC 2019-03-30 03:27:15 +0000 UTC github.com/smartystreets/assertions f487f9de1cd3 2019-04-01 21:17:40 +0000 UTC 2019-05-30 18:08:12 +0000 UTC github.com/smartystreets/goconvey 68dc04aab96a 2019-03-30 03:26:15 +0000 UTC 2019-03-30 03:27:15 +0000 UTC (and 290 more) github.com/smartystreets/goconvey ef6db91d284a 2018-02-22 19:45:00 +0000 UTC 2019-03-30 03:26:15 +0000 UTC github.com/spf13/cobra c46add8a6528 0001-01-01 00:00:00 +0000 UTC 2017-07-11 12:08:33 +0000 UTC github.com/ugorji/go/codec e444a5086c43 2019-02-04 20:13:41 +0000 UTC 2019-04-29 20:13:41 +0000 UTC github.com/zclconf/go-cty 4fecf87372ec 2019-05-16 20:38:16 +0000 UTC 2019-05-19 16:34:11 +0000 UTC go.etcd.io/etcd 35a67024f680 2019-06-03 11:18:07 +0000 UTC 2019-06-03 18:18:07 +0000 UTC go4.org 94abd6928b1d 2019-03-13 08:23:47 +0000 UTC 2019-04-30 20:53:26 +0000 UTC golang.org/x/arch 788fe5ffcd8c 2019-03-12 16:21:04 +0000 UTC 2019-03-29 05:28:59 +0000 UTC golang.org/x/crypto 0709b304e793 2018-09-04 16:38:35 +0000 UTC 2019-01-29 21:01:02 +0000 UTC golang.org/x/crypto 20be4c3c3ed5 2019-05-30 12:26:14 +0000 UTC 2019-06-01 00:35:51 +0000 UTC (and 81 more) golang.org/x/crypto 22d7a77e9e5f 2019-05-13 17:29:03 +0000 UTC 2019-05-13 17:59:42 +0000 UTC golang.org/x/crypto a29dc8fdc734 2019-04-26 14:53:43 +0000 UTC 2019-05-02 00:46:02 +0000 UTC golang.org/x/lint 959b441ac422 2019-04-09 20:28:23 +0000 UTC 2019-05-11 00:54:46 +0000 UTC golang.org/x/net 3ec191127204 2019-05-14 14:07:10 +0000 UTC 2019-05-15 22:43:32 +0000 UTC (and 1 more) golang.org/x/net 4829fb13d2c6 2019-04-24 11:20:56 +0000 UTC 2019-04-24 11:27:55 +0000 UTC golang.org/x/net 60506f45cf65 2019-06-03 09:10:49 +0000 UTC 2019-06-03 09:33:02 +0000 UTC (and 64 more) golang.org/x/net 9ce7a6920f09 2019-05-01 00:44:15 +0000 UTC 2019-05-01 01:37:50 +0000 UTC golang.org/x/net a4d6f7feada5 2019-05-09 22:28:00 +0000 UTC 2019-05-09 23:21:57 +0000 UTC golang.org/x/net f3200d17e092 2019-05-22 15:58:17 +0000 UTC 2019-05-23 14:48:54 +0000 UTC (and 292 more) golang.org/x/net f4e77d36d62c 2019-05-03 19:29:46 +0000 UTC 2019-05-06 00:28:11 +0000 UTC golang.org/x/oauth2 0f29369cfe45 2019-06-04 05:34:49 +0000 UTC 2019-06-04 05:40:33 +0000 UTC (and 2 more) golang.org/x/oauth2 950ef44c6e07 2019-05-17 18:12:55 +0000 UTC 2019-05-17 18:47:00 +0000 UTC (and 2 more) golang.org/x/oauth2 9f3314589c9a 2019-04-02 18:19:05 +0000 UTC 2019-04-05 16:48:17 +0000 UTC (and 1 more) golang.org/x/oauth2 aaccbc9213b0 2019-05-23 18:27:46 +0000 UTC 2019-05-23 18:31:34 +0000 UTC (and 28 more) golang.org/x/sync 112230192c58 2019-04-23 02:48:10 +0000 UTC 2019-04-27 21:28:04 +0000 UTC golang.org/x/sys 0e01d883c5c5 2019-05-23 14:25:57 +0000 UTC 2019-05-23 14:48:54 +0000 UTC golang.org/x/sys 2219a0101f92 2019-05-26 03:56:09 +0000 UTC 2019-05-26 04:24:58 +0000 UTC golang.org/x/sys 3626398d7749 2019-05-28 18:36:47 +0000 UTC 2019-05-28 18:52:58 +0000 UTC (and 12 more) golang.org/x/sys 46560c3f3c0a 2019-05-31 07:31:56 +0000 UTC 2019-05-31 07:58:03 +0000 UTC (and 4 more) golang.org/x/sys 4c3a928424d2 2019-05-31 17:50:56 +0000 UTC 2019-05-31 18:41:41 +0000 UTC (and 47 more) golang.org/x/sys 4c4f7f33c9ed 2019-06-02 01:53:25 +0000 UTC 2019-06-02 03:53:34 +0000 UTC (and 119 more) golang.org/x/sys 5219a1e1c5f8 2019-05-29 13:00:38 +0000 UTC 2019-05-29 13:27:21 +0000 UTC (and 1 more) golang.org/x/sys 61b9204099cb 2019-05-16 11:00:30 +0000 UTC 2019-05-19 16:34:11 +0000 UTC golang.org/x/sys 69e3a3a65b5b 2019-05-31 13:24:40 +0000 UTC 2019-05-31 13:51:44 +0000 UTC (and 3 more) golang.org/x/sys 6a60838ec259 2019-05-29 16:45:35 +0000 UTC 2019-05-29 17:45:06 +0000 UTC (and 20 more) golang.org/x/sys 791d8a0f4d09 2019-05-26 05:23:59 +0000 UTC 2019-05-26 05:33:52 +0000 UTC (and 37 more) golang.org/x/sys 854af27f14a7 2019-05-29 08:50:34 +0000 UTC 2019-05-29 09:46:03 +0000 UTC (and 1 more) golang.org/x/sys 9cd6430ef91e 2019-05-27 10:42:16 +0000 UTC 2019-05-27 11:25:10 +0000 UTC (and 18 more) golang.org/x/sys a5b02f93d862 2019-05-09 14:14:14 +0000 UTC 2019-05-09 14:35:28 +0000 UTC golang.org/x/sys abf6ff778158 2019-05-24 12:25:48 +0000 UTC 2019-05-24 12:37:31 +0000 UTC golang.org/x/sys ad28b68e88f1 2019-05-30 18:20:44 +0000 UTC 2019-05-30 18:49:56 +0000 UTC (and 10 more) golang.org/x/sys adf421d2caf4 2019-05-28 01:25:30 +0000 UTC 2019-05-28 01:38:23 +0000 UTC (and 15 more) golang.org/x/sys afe098805b5c 2019-06-02 01:07:38 +0000 UTC 2019-06-02 01:54:18 +0000 UTC golang.org/x/sys b6889370fb10 2019-03-02 02:57:03 +0000 UTC 2019-03-02 04:57:20 +0000 UTC golang.org/x/sys cc920278c2cc 2019-05-29 11:55:39 +0000 UTC 2019-05-29 12:49:54 +0000 UTC golang.org/x/sys dbbf3f1254d4 2019-05-24 15:25:21 +0000 UTC 2019-05-24 15:37:43 +0000 UTC (and 29 more) golang.org/x/sys e44a3b55db15 2019-05-26 03:10:47 +0000 UTC 2019-05-26 03:23:47 +0000 UTC golang.org/x/sys ea4c425e90c7 2019-05-27 09:26:32 +0000 UTC 2019-05-27 10:24:28 +0000 UTC golang.org/x/text 905a57155faa 2018-09-11 16:15:11 +0000 UTC 2018-09-08 17:02:15 +0000 UTC golang.org/x/time 9d24e82272b4 2019-03-08 20:28:27 +0000 UTC 2019-05-13 21:27:39 +0000 UTC golang.org/x/tools 08bd53a4b4c4 2019-05-28 20:25:02 +0000 UTC 2019-05-28 20:27:19 +0000 UTC (and 3 more) golang.org/x/tools 08e0b306e832 2019-06-03 15:29:06 +0000 UTC 2019-06-03 15:47:49 +0000 UTC golang.org/x/tools 0abef6e9ecb8 2019-06-01 11:02:25 +0000 UTC 2019-06-01 11:37:40 +0000 UTC (and 16 more) golang.org/x/tools 12d73424210d 2019-05-30 04:37:10 +0000 UTC 2019-05-30 04:46:27 +0000 UTC (and 10 more) golang.org/x/tools 16909d206f00 2019-01-18 19:33:59 +0000 UTC 2019-01-30 01:41:16 +0000 UTC golang.org/x/tools 178e83bc9d6a 2019-06-03 18:19:26 +0000 UTC 2019-06-03 18:55:32 +0000 UTC golang.org/x/tools 1a7b4747f5e9 2019-05-28 14:28:31 +0000 UTC 2019-05-28 14:38:58 +0000 UTC golang.org/x/tools 26e35f15edef 2019-05-31 22:35:38 +0000 UTC 2019-05-31 23:33:48 +0000 UTC (and 10 more) golang.org/x/tools 2b03ca6e44eb 2019-05-30 17:14:27 +0000 UTC 2019-05-30 17:43:12 +0000 UTC golang.org/x/tools 2c0ae7006135 2019-05-24 14:03:12 +0000 UTC 2019-05-24 14:37:32 +0000 UTC (and 3 more) golang.org/x/tools 2de7f9bf822c 2019-06-02 11:28:58 +0000 UTC 2019-06-02 11:50:13 +0000 UTC (and 25 more) golang.org/x/tools 31fd60d6bfdc 2019-04-25 16:32:42 +0000 UTC 2019-04-25 16:47:42 +0000 UTC golang.org/x/tools 379209517ffe 2019-01-25 23:20:54 +0000 UTC 2019-02-05 20:13:29 +0000 UTC golang.org/x/tools 38d8bcfa38af 2019-05-23 17:46:34 +0000 UTC 2019-05-23 18:37:47 +0000 UTC (and 17 more) golang.org/x/tools 3d17549cdc6b 2019-05-24 21:02:28 +0000 UTC 2019-05-24 21:42:54 +0000 UTC (and 15 more) golang.org/x/tools 521d6ed310dd 2019-05-21 20:35:40 +0000 UTC 2019-05-23 14:29:46 +0000 UTC (and 2 more) golang.org/x/tools 6c7e314b6563 2018-08-31 21:12:45 +0000 UTC 2018-10-30 22:17:26 +0000 UTC golang.org/x/tools 70bf279967a6 2019-06-03 21:18:25 +0000 UTC 2019-06-03 21:59:19 +0000 UTC golang.org/x/tools 75312fb06703 2019-05-30 21:55:28 +0000 UTC 2019-05-30 22:45:34 +0000 UTC (and 17 more) golang.org/x/tools 7be61e1b0e51 2019-05-25 14:57:41 +0000 UTC 2019-05-25 15:32:51 +0000 UTC (and 69 more) golang.org/x/tools 8aaa1484dc10 2019-06-03 23:13:51 +0000 UTC 2019-06-03 23:30:10 +0000 UTC (and 16 more) golang.org/x/tools 991f2949994b 2019-05-24 12:55:31 +0000 UTC 2019-05-24 13:50:26 +0000 UTC golang.org/x/tools aa71c3f32488 2019-05-29 01:04:54 +0000 UTC 2019-05-29 01:27:14 +0000 UTC (and 13 more) golang.org/x/tools b012c1979805 2019-06-03 19:34:55 +0000 UTC 2019-06-03 19:57:03 +0000 UTC golang.org/x/tools b3315ee88b7d 2019-05-31 17:21:33 +0000 UTC 2019-05-31 17:54:26 +0000 UTC (and 3 more) golang.org/x/tools b97706b7f64d 2019-05-30 00:16:15 +0000 UTC 2019-05-30 00:37:56 +0000 UTC (and 2 more) golang.org/x/tools ce1a3806b557 2019-05-30 18:43:49 +0000 UTC 2019-05-30 19:41:57 +0000 UTC golang.org/x/tools d238219cc233 2019-05-28 15:12:38 +0000 UTC 2019-05-28 15:44:30 +0000 UTC (and 2 more) golang.org/x/tools d487f80763e2 2019-05-24 18:48:02 +0000 UTC 2019-05-24 19:42:50 +0000 UTC golang.org/x/tools d850aa06e894 2019-05-29 19:11:38 +0000 UTC 2019-05-29 19:28:31 +0000 UTC golang.org/x/tools f0bfdbff1f9c 2019-03-14 01:07:20 +0000 UTC 2019-03-15 21:40:10 +0000 UTC golang.org/x/tools f98590f1bfc8 2019-05-29 17:05:31 +0000 UTC 2019-05-29 17:45:06 +0000 UTC golang.org/x/tools fb6c8ffd2207 2019-05-29 20:33:03 +0000 UTC 2019-05-29 21:33:27 +0000 UTC golang.org/x/xerrors a5947ffaac 2019-03-15 15:13:31 +0000 UTC 2019-05-13 16:35:51 +0000 UTC google.golang.org/genproto bb713bdc0e52 2019-05-16 17:26:35 +0000 UTC 2019-05-19 16:34:11 +0000 UTC google.golang.org/genproto c2c4e71fbf69 2019-05-22 20:44:51 +0000 UTC 2019-05-23 14:48:54 +0000 UTC (and 22 more) google.golang.org/genproto ee236bd376b0 2017-08-18 01:03:45 +0000 UTC 2017-08-18 10:03:45 +0000 UTC google.golang.org/genproto fb225487d101 2019-05-30 19:49:41 +0000 UTC 2019-06-01 00:35:51 +0000 UTC (and 82 more) k8s.io/apimachinery 1f207b29b441 2019-05-13 18:25:58 +0000 UTC 2019-05-14 01:25:58 +0000 UTC k8s.io/apimachinery 5bae42371a56 2019-04-30 14:11:24 +0000 UTC 2019-04-30 21:11:24 +0000 UTC k8s.io/apimachinery 63a6072eb563 2019-06-02 11:36:12 +0000 UTC 2019-06-02 18:36:12 +0000 UTC k8s.io/code-generator b1289fc74931 2018-11-28 19:10:24 +0000 UTC 2019-03-01 17:30:42 +0000 UTC tmthrgd.dev/go/ddns 4f91cdabf141 2019-04-30 00:36:47 +0000 UTC 2019-04-30 00:41:04 +0000 UTC ```

[bcmills]

Unfortunately, I don't have a reverse-index of go.mod files in which (even a subset of) those versions appear.

[marwan-at-work]

Responding to @bcmills's slack question on how we usually write pseudo semvers in Go.mod files:

I never manually write a pseudo version, I usually do go get <some-pkg>@<full-long-sha> and let go convert a full long hash to a pseudo version

For example: go get github.com/pkg/errors@27936f6d90f9c8e1145f11ed52ffffbfdb9e0af7 and then my go.mod file will actually turn it into whatever pseudo semver.

It would be nice if people followed that convention and never wrote their own pseudo semvers...not sure if the Go command can help people towards that practice.

[rogpeppe]

@marwan-at-work That's what I do now, but originally I wasn't aware of that very convenient behaviour. I think that in principle it would be nice if the Go command failed on a pseudoversion with a mismatching date and suggest the alternative approach. My worry is that there are already lots of bad versions out there and this will cause people's builds to fail unexpectedly, giving more bad press to modules.

[thepudds]

Hi @bcmills, a couple questions.

Q1. From https://golang.org/cl/181881, it seems it will do a hard error if one of these types of previously allowed mistakes is found in a go.mod. Does that apply to go.mod files for both direct and indirect dependencies? I suspect the answer is yes.

If so, it means a "rare" problem on a per go.mod basis can end up being not so rare to experience when even a small-ish project can have a large count of dependencies in its module-level graph. Also, a single mistake by a single popular project could end up with wide impact, and that mistake could even happen a few months from now, if I am following.

It might make sense to be cautious here. It seems a warning in 1.13 would be less disruptive, and give more time to adapt.

Q2. Does that hard error also get triggered by any go.mod visited across the module-level dependency graph, including possibly being triggered by go.mod files from old versions that don't even end up being selected as a final version for the final build list?

If so, that increases the risk of experiencing a hard failure for something that used to work in Go 1.12, including if some indirect dependency might have fixed the problem several months ago but an old version of that go.mod still gets visited and triggers the error. That would mean the "hangover" of a mistake ends up lasting longer. That said, not sure if that applies here.

Here is an example of it failing with that CL when trying to get the current version of a reasonably popular utility:

$ go mod init tempod
$ export GOPROXY=direct
$ go get github.com/golangci/golangci-lint/...
go get: github.com/golangci/golangci-lint@v1.17.1 requires
        github.com/go-critic/go-critic@v0.0.0-20181204210945-1df300866540: 
        pseudo-version does not match timestamp (2019-05-26T07:48:19Z)

That is devel +13c08e5389 Fri Jun 14 17:40:17.

Here is where that change seemed to happen. In that particular case, I don't know why just the commit hash of the pseudoversion was changed in the go.mod, but my first guess would be sometimes people might do a hand edit where they felt it slightly more convenient to just update the hash (without deleting the whole pseudoversion first), or perhaps in some cases people don't know that they can do "module queries" in their go.mod (including specifying just a commit hash).

Finally, sorry in advance if I am not understanding the impact of this change or when it triggers.

[thepudds]

@bcmills also, skimming over your list just now, it seems there are cases where the timestamp is a dozen or so minutes off, such as:

golang.org/x/net 60506f45cf65
        2019-06-03 09:10:49 +0000 UTC
        2019-06-03 09:33:02 +0000 UTC
                (and 64 more)

That example is probably not from a human edit, I would guess? Do you have a sense of where that type of error might be coming from?

[bcmills]

it will do a hard error if one of these types of previously allowed mistakes is found in a go.mod. Does that apply to go.mod files for both direct and indirect dependencies?

Yes. If it were to apply only to indirect dependencies, then it would be possible to “pin” an erroneous pseudo-version using a replace directive, which I don't want to allow. (The owner of the module, not the consumer of that module, should determine its mapping of commits to versions.)

If so, that increases the risk of experiencing a hard failure for something that used to work in Go 1.12, including if some indirect dependency might have fixed the problem several months ago but an old version of that go.mod still gets visited and triggers the error.

Yes. I'm actually pretty worried about that scenario, and it's something we'll need to watch closely during the beta. However, it should at least be possible to repair locally using a replace directive:

replace github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540 => v0.0.0-20190526074819-1df300866540

If we find a small number of such dependencies in central modules, we could also consider a whitelist of invalid {module, version} pairs. That's the most reasonable mitigation I can think of at this point that doesn't also allow arbitrarily-bad version strings going forward.

perhaps in some cases people don't know that they can do "module queries" in their go.mod (including specifying just a commit hash).

That seems likely to me.

[bcmills]

As for the handful of golang.org/x and similar modules with very large numbers of timestamp variations: I have no idea what's going on with those, and I hope that we can flush that problem out during the beta. My best guess is that someone, somewhere (maybe even the Go project itself!) has a buggy CI script that is attempting to produce its own pseudo-versions for specific commits (possibly the master commit?).

[bcmills]

@jayconrod suggested that I expand the search for affected versions by looking for pseudo-versions with the same timestamp but different commit hashes. Filtering out the v0.0.0-0. parse errors (for which I have no explanatory theory) and the v0.0.0-[…]+incompatible errors (which we have confirmed are a bug internal to the proxy), that expands the results as below.

``` github.com/census-instrumentation/opencensus-proto invalid base: base of pseudo-version would have a negative patch number: "v0.1.0-0.20181214143942-ba49f56771b8" indexed: 2019-04-11 07:33:31.341638 -0700 -0700 github.com/containerd/containerd invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190212172151-f5b0fa220df8" indexed: 2019-04-11 11:52:27.818978 -0700 -0700 github.com/docker/docker invalid base: base of pseudo-version would have a negative patch number: "v1.14.0-0.20190319215453-e7b5f7dbe98c" indexed: 2019-04-22 18:43:27.023939 -0700 -0700 github.com/containerd/containerd invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190321141026-ceba56893a76" indexed: 2019-04-25 14:31:11.173735 -0700 -0700 github.com/cloudwan/ginkgo invalid base: base of pseudo-version would have a negative patch number: "v1.6.0-0.20190213151947-95174e8d10cd" indexed: 2019-04-25 15:41:04.601405 -0700 -0700 github.com/containerd/containerd invalid base: base of pseudo-version would have a negative patch number: "v1.3.0-0.20190426060238-3a3f0aac8819" indexed: 2019-05-01 04:21:55.296174 -0700 -0700 github.com/modsdemo/v0tags invalid base: base of pseudo-version would have a negative patch number: "v0.9.0-0.20190505141014-d69de0386093" indexed: 2019-05-20 09:33:41.520421 -0700 -0700 github.com/docker/docker invalid base: base of pseudo-version would have a negative patch number: "v1.14.0-0.20190410063227-d9d9eccdc862" indexed: 2019-05-22 15:10:39.4473 -0700 -0700 gopkg.in/gin-gonic/gin.v1 invalid base: base of pseudo-version would have a negative patch number: "v1.0.0-0.20170702092826-d459835d2b07" indexed: 2019-06-05 22:55:09.794311 -0700 -0700 github.com/netlify/netlify-commons invalid base: base of pseudo-version would have a negative patch number: "v0.17.0-0.20190606095701-c4d04dcc126b" indexed: 2019-06-06 03:11:36.277271 -0700 -0700 gopkg.in/bluesuncorp/validator.v5 invalid base: base of pseudo-version would have a negative patch number: "v5.0.0-0.20150523023324-07cbdd2e6dfd" indexed: 2019-06-09 22:05:53.683348 -0700 -0700 github.com/containers/libpod invalid base: base of pseudo-version would have a negative patch number: "v1.4.0-0.20190614192453-4a450d55d95f" indexed: 2019-06-14 14:21:06.365614 -0700 -0700 github.com/google/wire invalid base: base of pseudo-version would have a negative patch number: "v0.3.0-0.20190611223505-93b1ce745f8d" indexed: 2019-06-17 10:07:09.135102 -0700 -0700 bitbucket.org/dchapes/db a88b39da22e9 timestamp varies: 2017-01-02 20:58:12 +0000 UTC 2018-08-04 20:58:12 +0000 UTC github.com/BurntSushi/xgb 27f122750802 timestamp varies: 2016-05-22 18:18:43 +0000 UTC 2016-05-22 22:18:00 +0000 UTC github.com/DeanThompson/ginpprof 3be636683586 timestamp varies: 2019-04-08 06:31:50 +0000 UTC 2019-04-08 07:07:48 +0000 UTC github.com/StackExchange/wmi cbe66965904d timestamp varies: 2019-05-23 21:33:15 +0000 UTC 2019-05-23 21:36:09 +0000 UTC github.com/antihax/optional ca021399b1a6 timestamp varies: 2018-04-06 19:43:04 +0000 UTC 2018-04-07 02:43:04 +0000 UTC github.com/apelisse/protobuf 20190410021324 revision varies: 0ad0d52e9ce345a781f6c002748fc399d4efb611 765b5b8d2dfc github.com/awalterschulze/gographviz 1e9ccb565bca timestamp varies: 2019-02-21 21:06:32 +0000 UTC 2019-03-29 05:28:59 +0000 UTC github.com/bingoohuang/gou 20190604082926 revision varies: be6100942b5a bf3d9b2b55aa5840c442284656ed6b15aedc5a25 github.com/bingoohuang/gou bf3d9b2b55aa5840c442284656ed6b15aedc5a25 timestamp varies: 2019-05-27 05:31:07 +0000 UTC 2019-06-04 08:29:26 +0000 UTC github.com/c-jiazheng/yzf-common 20190604085922 revision varies: 6260accc7ec8 c49557393a17 (and 2 more) github.com/certifi/gocertifi d2eda7129713 timestamp varies: 2019-05-06 16:45:43 +0000 UTC 2019-05-06 17:44:09 +0000 UTC github.com/coreos/go-semver 20180108230905 revision varies: e214231b295 e214231b295a github.com/coreos/go-systemd 95778dfbb74e timestamp varies: 2019-03-21 10:07:06 +0000 UTC 2019-04-01 02:55:00 +0000 UTC github.com/cpuguy83/go-md2man 691ee98543af timestamp varies: 2018-06-19 19:30:05 +0000 UTC 2018-06-19 20:56:30 +0000 UTC github.com/denisenkom/go-mssqldb 731ef375ac02 timestamp varies: 2019-04-23 18:37:35 +0000 UTC 2019-04-27 21:28:04 +0000 UTC github.com/depop/logentries 20180530131341 revision varies: cf541324c208164813b3bad517721012407c825f ecb331a4a2b0 github.com/etcd-io/etcd 35a67024f680 timestamp varies: 2019-06-03 11:18:07 +0000 UTC 2019-06-03 18:18:07 +0000 UTC github.com/fishy/gcsbucket 618d60fe84e0 timestamp varies: 2015-04-10 20:54:53 +0000 UTC 2018-02-17 03:18:46 +0000 UTC github.com/fujiwara/ridge 3b8228696ce7 timestamp varies: 2019-03-12 08:07:41 +0000 UTC 2019-03-12 08:41:19 +0000 UTC github.com/gin-contrib/static c1cdf9c9ec7b timestamp varies: 2019-05-11 12:47:41 +0000 UTC 2019-05-11 13:24:12 +0000 UTC github.com/gin-gonic/contrib 7fb7810ed2a0 timestamp varies: 2019-05-26 02:17:35 +0000 UTC 2019-05-26 02:44:57 +0000 UTC github.com/git-lfs/go-ntlm c5056e7fa066 timestamp varies: 2019-03-07 20:31:51 +0000 UTC 2019-04-01 17:57:52 +0000 UTC github.com/go-critic/go-critic 20181204210945 revision varies: c3db6069acc5 ee9bf5809ead github.com/go-mgo/mgo 20180705113738 revision varies: 7446a0344b7 7446a0344b78 github.com/golang/lint 20190409202823 revision varies: 5614ed5bae6fb75893070bdc0996a68765fdd275 959b441ac422 github.com/golang/lint 8f45f776aaf1 timestamp varies: 2018-12-17 17:45:47 +0000 UTC 2019-02-27 17:43:05 +0000 UTC github.com/golangci/errcheck 20181003203344 revision varies: 1765131d5be5 ef45e06d44b6 github.com/golangci/errcheck ef45e06d44b6 timestamp varies: 2018-10-03 20:33:44 +0000 UTC 2018-12-23 08:41:20 +0000 UTC github.com/golangci/go-tools 20180109140146 revision varies: 35a9f45a5db0 af6baa5dc196 github.com/golangci/go-tools 35a9f45a5db0 timestamp varies: 2018-01-09 14:01:46 +0000 UTC 2019-01-24 09:00:46 +0000 UTC github.com/golangci/gofmt 20181105071733 revision varies: 0b8337e80d98 f021c4179c82 github.com/golangci/gofmt 0b8337e80d98 timestamp varies: 2018-11-05 07:17:33 +0000 UTC 2018-12-22 12:35:16 +0000 UTC github.com/golangci/gosec 20180901114220 revision varies: 66fb7fc33547 8afd9cbb6cfb github.com/golangci/lint c2187e7932b5 timestamp varies: 2017-09-08 18:12:59 +0000 UTC 2018-09-02 08:04:04 +0000 UTC github.com/golangci/lint-1 20180610141402 revision varies: 4bf9709227d1 ee948d087217 github.com/golangci/unparam 7ad9dbcccc16 timestamp varies: 2018-09-02 11:25:48 +0000 UTC 2018-09-02 11:51:09 +0000 UTC github.com/google/pprof 8358a9778bd1 timestamp varies: 2019-05-02 14:41:55 +0000 UTC 2019-05-09 08:38:00 +0000 UTC github.com/hashicorp/hcl2 4b22149b7cef timestamp varies: 2019-05-15 22:32:18 +0000 UTC 2019-05-15 22:43:32 +0000 UTC github.com/justinas/alice 20160910103822 revision varies: 03f45bd4b7da 1051eaf52fca github.com/justinas/alice 03f45bd4b7da timestamp varies: 2016-09-10 10:38:22 +0000 UTC 2017-10-23 06:44:55 +0000 UTC github.com/knq/sdhook 4d2800fd245c timestamp varies: 2019-05-12 23:18:55 +0000 UTC 2019-05-12 23:42:13 +0000 UTC github.com/lib/pq 20190320221453 revision varies: 2ff3cb3 51e2106 (and 1 more) github.com/mgechev/dots 18fa4c4b71cc timestamp varies: 2018-12-28 16:47:30 +0000 UTC 2019-06-03 12:26:14 +0000 UTC github.com/pierrec/lz4 20181027085611 revision varies: 623b5a2f4d2a 623b5a2f4d2a41e4 github.com/prometheus/procfs 0c11a8e341bf timestamp varies: 2019-05-30 14:28:22 +0000 UTC 2019-05-30 14:47:49 +0000 UTC github.com/prometheus/procfs 3cb620ac02d0 timestamp varies: 2019-05-28 15:12:40 +0000 UTC 2019-05-28 15:47:54 +0000 UTC github.com/prometheus/procfs 5867b95ac084 timestamp varies: 2019-05-07 16:40:30 +0000 UTC 2019-05-13 00:39:49 +0000 UTC github.com/prometheus/procfs 65bdadfa96ae timestamp varies: 2019-05-29 15:59:44 +0000 UTC 2019-05-29 17:30:44 +0000 UTC github.com/prometheus/procfs 740c07785007 timestamp varies: 2019-05-03 13:03:16 +0000 UTC 2019-05-06 00:28:11 +0000 UTC github.com/prometheus/procfs 87a4384529e0 timestamp varies: 2019-04-25 08:29:05 +0000 UTC 2019-04-30 20:53:26 +0000 UTC github.com/prometheus/procfs 9935e8e0588d timestamp varies: 2019-05-19 11:10:21 +0000 UTC 2019-05-20 13:46:16 +0000 UTC github.com/prometheus/procfs a7aeb8df3389 timestamp varies: 2019-05-23 19:31:04 +0000 UTC 2019-05-23 19:40:42 +0000 UTC github.com/prometheus/procfs bbced9601137 timestamp varies: 2019-02-27 23:14:51 +0000 UTC 2019-02-28 00:09:57 +0000 UTC github.com/prometheus/procfs bc1a522cf7b1 timestamp varies: 2019-05-22 11:45:15 +0000 UTC 2019-05-23 18:31:34 +0000 UTC github.com/puppyanger/ppap 20190518161905 revision varies: 2a7269177dae 58974b8523e6 (and 2 more) github.com/puppyanger/ppap 20190518161913 revision varies: 1ec4faa40270 58d9d2900676 (and 3 more) github.com/puppyanger/ppap 20190518161922 revision varies: 01025d20f0e6 11e529f2bfea (and 3 more) github.com/puppyanger/ppap 20190518161930 revision varies: 29d6dbf02765 2b2da725a9d1 (and 3 more) github.com/puppyanger/ppap 20190518161939 revision varies: 98e6d6b0726f c9585dbc31dc github.com/puppyanger/ppap 20190518161940 revision varies: 449fab5c7558 6873f410ee02 (and 1 more) github.com/puppyanger/ppap 20190518161948 revision varies: 165d5809c3cc 2a9b56189168 (and 1 more) github.com/puppyanger/ppap 20190518161953 revision varies: 0ff4e758899d 13e977992132 (and 3 more) github.com/puppyanger/ppap 20190518161956 revision varies: 3d2851ddb354 3e1c98cd0ef7 (and 2 more) github.com/puppyanger/ppap 20190518161958 revision varies: 177bb9290e53 8734ad6d44d9 (and 3 more) github.com/puppyanger/ppap 20190518162000 revision varies: 2cfa89900371 4257d057a485 (and 3 more) github.com/puppyanger/ppap 20190518162003 revision varies: 3fe1f6ea1ab1 5b7efa63721a (and 3 more) github.com/puppyanger/ppap 20190518162005 revision varies: 0e072867b8c6 2f8fe8ea8e6a (and 3 more) github.com/puppyanger/ppap 20190518162007 revision varies: 24277fdc2c6b 64fb4d755fc4 (and 3 more) github.com/puppyanger/ppap 20190518162009 revision varies: 2019a1aa9469 7cf9ba556e7f (and 3 more) github.com/puppyanger/ppap 20190518162013 revision varies: 20dde38e5fa9 3b28b420723d (and 3 more) github.com/puppyanger/ppap 20190518162016 revision varies: 381990db185b 38981ed2ec18 (and 3 more) github.com/puppyanger/ppap 20190518162024 revision varies: 134cbdf34e08 2efb42769d74 (and 3 more) github.com/puppyanger/ppap 20190518162031 revision varies: 27e3fb4c9479 31a3b7701413 (and 3 more) github.com/puppyanger/ppap 20190518162038 revision varies: 0edd370da91a 1ffc8df59c73 (and 3 more) github.com/puppyanger/ppap 20190518162048 revision varies: 0c27077eea5d 2cb9e6724ca4 github.com/rubenv/sql-migrate 20180704111356 revision varies: 3f452fc0ebeb ba2c6a7295c59448dbc195cef2f41df5163b3892 github.com/smartystreets/assertions 980c5ac6f3ac timestamp varies: 2019-02-15 21:06:24 +0000 UTC 2019-03-30 03:27:15 +0000 UTC github.com/smartystreets/assertions f487f9de1cd3 timestamp varies: 2019-04-01 21:17:40 +0000 UTC 2019-05-30 18:08:12 +0000 UTC github.com/smartystreets/goconvey 20190330032615 revision varies: 68dc04aab96a ef6db91d284a github.com/smartystreets/goconvey 68dc04aab96a timestamp varies: 2019-03-30 03:26:15 +0000 UTC 2019-03-30 03:27:15 +0000 UTC (and 290 more) github.com/smartystreets/goconvey ef6db91d284a timestamp varies: 2018-02-22 19:45:00 +0000 UTC 2019-03-30 03:26:15 +0000 UTC github.com/spf13/cobra c46add8a6528 timestamp varies: 0001-01-01 00:00:00 +0000 UTC 2017-07-11 12:08:33 +0000 UTC github.com/u-root/u-root 20170902185051 revision varies: 019d26a9fb3c 3dbbc137085a (and 1 more) github.com/ugorji/go/codec e444a5086c43 timestamp varies: 2019-02-04 20:13:41 +0000 UTC 2019-04-29 20:13:41 +0000 UTC github.com/zclconf/go-cty 4fecf87372ec timestamp varies: 2019-05-16 20:38:16 +0000 UTC 2019-05-19 16:34:11 +0000 UTC go.etcd.io/etcd 35a67024f680 timestamp varies: 2019-06-03 11:18:07 +0000 UTC 2019-06-03 18:18:07 +0000 UTC go4.org 94abd6928b1d timestamp varies: 2019-03-13 08:23:47 +0000 UTC 2019-04-30 20:53:26 +0000 UTC golang.org/x/arch 788fe5ffcd8c timestamp varies: 2019-03-12 16:21:04 +0000 UTC 2019-03-29 05:28:59 +0000 UTC golang.org/x/crypto 20190129210102 revision varies: 0709b304e793 ccddf3741a0c golang.org/x/crypto 0709b304e793 timestamp varies: 2018-09-04 16:38:35 +0000 UTC 2019-01-29 21:01:02 +0000 UTC golang.org/x/crypto 20be4c3c3ed5 timestamp varies: 2019-05-30 12:26:14 +0000 UTC 2019-06-01 00:35:51 +0000 UTC (and 81 more) golang.org/x/crypto 22d7a77e9e5f timestamp varies: 2019-05-13 17:29:03 +0000 UTC 2019-05-13 17:59:42 +0000 UTC golang.org/x/crypto a29dc8fdc734 timestamp varies: 2019-04-26 14:53:43 +0000 UTC 2019-05-02 00:46:02 +0000 UTC golang.org/x/lint 959b441ac422 timestamp varies: 2019-04-09 20:28:23 +0000 UTC 2019-05-11 00:54:46 +0000 UTC golang.org/x/net 3ec191127204 timestamp varies: 2019-05-14 14:07:10 +0000 UTC 2019-05-15 22:43:32 +0000 UTC (and 1 more) golang.org/x/net 4829fb13d2c6 timestamp varies: 2019-04-24 11:20:56 +0000 UTC 2019-04-24 11:27:55 +0000 UTC golang.org/x/net 60506f45cf65 timestamp varies: 2019-06-03 09:10:49 +0000 UTC 2019-06-03 09:33:02 +0000 UTC (and 64 more) golang.org/x/net 9ce7a6920f09 timestamp varies: 2019-05-01 00:44:15 +0000 UTC 2019-05-01 01:37:50 +0000 UTC golang.org/x/net a4d6f7feada5 timestamp varies: 2019-05-09 22:28:00 +0000 UTC 2019-05-09 23:21:57 +0000 UTC golang.org/x/net f3200d17e092 timestamp varies: 2019-05-22 15:58:17 +0000 UTC 2019-05-23 14:48:54 +0000 UTC (and 292 more) golang.org/x/net f4e77d36d62c timestamp varies: 2019-05-03 19:29:46 +0000 UTC 2019-05-06 00:28:11 +0000 UTC golang.org/x/oauth2 0f29369cfe45 timestamp varies: 2019-06-04 05:34:49 +0000 UTC 2019-06-04 05:40:33 +0000 UTC (and 2 more) golang.org/x/oauth2 950ef44c6e07 timestamp varies: 2019-05-17 18:12:55 +0000 UTC 2019-05-17 18:47:00 +0000 UTC (and 2 more) golang.org/x/oauth2 9f3314589c9a timestamp varies: 2019-04-02 18:19:05 +0000 UTC 2019-04-05 16:48:17 +0000 UTC (and 1 more) golang.org/x/oauth2 aaccbc9213b0 timestamp varies: 2019-05-23 18:27:46 +0000 UTC 2019-05-23 18:31:34 +0000 UTC (and 28 more) golang.org/x/sync 112230192c58 timestamp varies: 2019-04-23 02:48:10 +0000 UTC 2019-04-27 21:28:04 +0000 UTC golang.org/x/sys 0e01d883c5c5 timestamp varies: 2019-05-23 14:25:57 +0000 UTC 2019-05-23 14:48:54 +0000 UTC golang.org/x/sys 2219a0101f92 timestamp varies: 2019-05-26 03:56:09 +0000 UTC 2019-05-26 04:24:58 +0000 UTC golang.org/x/sys 3626398d7749 timestamp varies: 2019-05-28 18:36:47 +0000 UTC 2019-05-28 18:52:58 +0000 UTC (and 12 more) golang.org/x/sys 46560c3f3c0a timestamp varies: 2019-05-31 07:31:56 +0000 UTC 2019-05-31 07:58:03 +0000 UTC (and 4 more) golang.org/x/sys 4c3a928424d2 timestamp varies: 2019-05-31 17:50:56 +0000 UTC 2019-05-31 18:41:41 +0000 UTC (and 47 more) golang.org/x/sys 4c4f7f33c9ed timestamp varies: 2019-06-02 01:53:25 +0000 UTC 2019-06-02 03:53:34 +0000 UTC (and 119 more) golang.org/x/sys 5219a1e1c5f8 timestamp varies: 2019-05-29 13:00:38 +0000 UTC 2019-05-29 13:27:21 +0000 UTC (and 1 more) golang.org/x/sys 61b9204099cb timestamp varies: 2019-05-16 11:00:30 +0000 UTC 2019-05-19 16:34:11 +0000 UTC golang.org/x/sys 69e3a3a65b5b timestamp varies: 2019-05-31 13:24:40 +0000 UTC 2019-05-31 13:51:44 +0000 UTC (and 3 more) golang.org/x/sys 6a60838ec259 timestamp varies: 2019-05-29 16:45:35 +0000 UTC 2019-05-29 17:45:06 +0000 UTC (and 20 more) golang.org/x/sys 791d8a0f4d09 timestamp varies: 2019-05-26 05:23:59 +0000 UTC 2019-05-26 05:33:52 +0000 UTC (and 37 more) golang.org/x/sys 854af27f14a7 timestamp varies: 2019-05-29 08:50:34 +0000 UTC 2019-05-29 09:46:03 +0000 UTC (and 1 more) golang.org/x/sys 9cd6430ef91e timestamp varies: 2019-05-27 10:42:16 +0000 UTC 2019-05-27 11:25:10 +0000 UTC (and 18 more) golang.org/x/sys a5b02f93d862 timestamp varies: 2019-05-09 14:14:14 +0000 UTC 2019-05-09 14:35:28 +0000 UTC golang.org/x/sys abf6ff778158 timestamp varies: 2019-05-24 12:25:48 +0000 UTC 2019-05-24 12:37:31 +0000 UTC golang.org/x/sys ad28b68e88f1 timestamp varies: 2019-05-30 18:20:44 +0000 UTC 2019-05-30 18:49:56 +0000 UTC (and 10 more) golang.org/x/sys adf421d2caf4 timestamp varies: 2019-05-28 01:25:30 +0000 UTC 2019-05-28 01:38:23 +0000 UTC (and 15 more) golang.org/x/sys afe098805b5c timestamp varies: 2019-06-02 01:07:38 +0000 UTC 2019-06-02 01:54:18 +0000 UTC golang.org/x/sys b6889370fb10 timestamp varies: 2019-03-02 02:57:03 +0000 UTC 2019-03-02 04:57:20 +0000 UTC golang.org/x/sys cc920278c2cc timestamp varies: 2019-05-29 11:55:39 +0000 UTC 2019-05-29 12:49:54 +0000 UTC golang.org/x/sys dbbf3f1254d4 timestamp varies: 2019-05-24 15:25:21 +0000 UTC 2019-05-24 15:37:43 +0000 UTC (and 29 more) golang.org/x/sys e44a3b55db15 timestamp varies: 2019-05-26 03:10:47 +0000 UTC 2019-05-26 03:23:47 +0000 UTC golang.org/x/sys ea4c425e90c7 timestamp varies: 2019-05-27 09:26:32 +0000 UTC 2019-05-27 10:24:28 +0000 UTC golang.org/x/text 905a57155faa timestamp varies: 2018-09-11 16:15:11 +0000 UTC 2018-09-08 17:02:15 +0000 UTC golang.org/x/time 9d24e82272b4 timestamp varies: 2019-03-08 20:28:27 +0000 UTC 2019-05-13 21:27:39 +0000 UTC golang.org/x/tools 20180831211245 revision varies: 6c7e314b6563 7ca132754999 golang.org/x/tools 20190125232054 revision varies: 379209517ffe d66bd3c5d5a6 golang.org/x/tools 20190314010720 revision varies: 1286b2016bb1 f0bfdbff1f9c golang.org/x/tools 08bd53a4b4c4 timestamp varies: 2019-05-28 20:25:02 +0000 UTC 2019-05-28 20:27:19 +0000 UTC (and 3 more) golang.org/x/tools 08e0b306e832 timestamp varies: 2019-06-03 15:29:06 +0000 UTC 2019-06-03 15:47:49 +0000 UTC golang.org/x/tools 0abef6e9ecb8 timestamp varies: 2019-06-01 11:02:25 +0000 UTC 2019-06-01 11:37:40 +0000 UTC (and 16 more) golang.org/x/tools 12d73424210d timestamp varies: 2019-05-30 04:37:10 +0000 UTC 2019-05-30 04:46:27 +0000 UTC (and 10 more) golang.org/x/tools 16909d206f00 timestamp varies: 2019-01-18 19:33:59 +0000 UTC 2019-01-30 01:41:16 +0000 UTC golang.org/x/tools 178e83bc9d6a timestamp varies: 2019-06-03 18:19:26 +0000 UTC 2019-06-03 18:55:32 +0000 UTC golang.org/x/tools 1a7b4747f5e9 timestamp varies: 2019-05-28 14:28:31 +0000 UTC 2019-05-28 14:38:58 +0000 UTC golang.org/x/tools 26e35f15edef timestamp varies: 2019-05-31 22:35:38 +0000 UTC 2019-05-31 23:33:48 +0000 UTC (and 10 more) golang.org/x/tools 2b03ca6e44eb timestamp varies: 2019-05-30 17:14:27 +0000 UTC 2019-05-30 17:43:12 +0000 UTC golang.org/x/tools 2c0ae7006135 timestamp varies: 2019-05-24 14:03:12 +0000 UTC 2019-05-24 14:37:32 +0000 UTC (and 3 more) golang.org/x/tools 2de7f9bf822c timestamp varies: 2019-06-02 11:28:58 +0000 UTC 2019-06-02 11:50:13 +0000 UTC (and 25 more) golang.org/x/tools 31fd60d6bfdc timestamp varies: 2019-04-25 16:32:42 +0000 UTC 2019-04-25 16:47:42 +0000 UTC golang.org/x/tools 379209517ffe timestamp varies: 2019-01-25 23:20:54 +0000 UTC 2019-02-05 20:13:29 +0000 UTC golang.org/x/tools 38d8bcfa38af timestamp varies: 2019-05-23 17:46:34 +0000 UTC 2019-05-23 18:37:47 +0000 UTC (and 17 more) golang.org/x/tools 3d17549cdc6b timestamp varies: 2019-05-24 21:02:28 +0000 UTC 2019-05-24 21:42:54 +0000 UTC (and 15 more) golang.org/x/tools 521d6ed310dd timestamp varies: 2019-05-21 20:35:40 +0000 UTC 2019-05-23 14:29:46 +0000 UTC (and 2 more) golang.org/x/tools 6c7e314b6563 timestamp varies: 2018-08-31 21:12:45 +0000 UTC 2018-10-30 22:17:26 +0000 UTC golang.org/x/tools 70bf279967a6 timestamp varies: 2019-06-03 21:18:25 +0000 UTC 2019-06-03 21:59:19 +0000 UTC golang.org/x/tools 75312fb06703 timestamp varies: 2019-05-30 21:55:28 +0000 UTC 2019-05-30 22:45:34 +0000 UTC (and 17 more) golang.org/x/tools 7be61e1b0e51 timestamp varies: 2019-05-25 14:57:41 +0000 UTC 2019-05-25 15:32:51 +0000 UTC (and 69 more) golang.org/x/tools 8aaa1484dc10 timestamp varies: 2019-06-03 23:13:51 +0000 UTC 2019-06-03 23:30:10 +0000 UTC (and 16 more) golang.org/x/tools 991f2949994b timestamp varies: 2019-05-24 12:55:31 +0000 UTC 2019-05-24 13:50:26 +0000 UTC golang.org/x/tools aa71c3f32488 timestamp varies: 2019-05-29 01:04:54 +0000 UTC 2019-05-29 01:27:14 +0000 UTC (and 13 more) golang.org/x/tools b012c1979805 timestamp varies: 2019-06-03 19:34:55 +0000 UTC 2019-06-03 19:57:03 +0000 UTC golang.org/x/tools b3315ee88b7d timestamp varies: 2019-05-31 17:21:33 +0000 UTC 2019-05-31 17:54:26 +0000 UTC (and 3 more) golang.org/x/tools b97706b7f64d timestamp varies: 2019-05-30 00:16:15 +0000 UTC 2019-05-30 00:37:56 +0000 UTC (and 2 more) golang.org/x/tools ce1a3806b557 timestamp varies: 2019-05-30 18:43:49 +0000 UTC 2019-05-30 19:41:57 +0000 UTC golang.org/x/tools d238219cc233 timestamp varies: 2019-05-28 15:12:38 +0000 UTC 2019-05-28 15:44:30 +0000 UTC (and 2 more) golang.org/x/tools d487f80763e2 timestamp varies: 2019-05-24 18:48:02 +0000 UTC 2019-05-24 19:42:50 +0000 UTC golang.org/x/tools d850aa06e894 timestamp varies: 2019-05-29 19:11:38 +0000 UTC 2019-05-29 19:28:31 +0000 UTC golang.org/x/tools f0bfdbff1f9c timestamp varies: 2019-03-14 01:07:20 +0000 UTC 2019-03-15 21:40:10 +0000 UTC golang.org/x/tools f98590f1bfc8 timestamp varies: 2019-05-29 17:05:31 +0000 UTC 2019-05-29 17:45:06 +0000 UTC golang.org/x/tools fb6c8ffd2207 timestamp varies: 2019-05-29 20:33:03 +0000 UTC 2019-05-29 21:33:27 +0000 UTC golang.org/x/xerrors 20190315151331 revision varies: a5947ffaac d61658bd2e18 golang.org/x/xerrors 20190513163551 revision varies: 3ee3066db522 a5947ffaac golang.org/x/xerrors a5947ffaac timestamp varies: 2019-03-15 15:13:31 +0000 UTC 2019-05-13 16:35:51 +0000 UTC google.golang.org/genproto bb713bdc0e52 timestamp varies: 2019-05-16 17:26:35 +0000 UTC 2019-05-19 16:34:11 +0000 UTC google.golang.org/genproto c2c4e71fbf69 timestamp varies: 2019-05-22 20:44:51 +0000 UTC 2019-05-23 14:48:54 +0000 UTC (and 22 more) google.golang.org/genproto ee236bd376b0 timestamp varies: 2017-08-18 01:03:45 +0000 UTC 2017-08-18 10:03:45 +0000 UTC google.golang.org/genproto fb225487d101 timestamp varies: 2019-05-30 19:49:41 +0000 UTC 2019-06-01 00:35:51 +0000 UTC (and 82 more) k8s.io/api 20190602125759 revision varies: 1d8a3c80f93a c1e9adbde704 k8s.io/apimachinery 1f207b29b441 timestamp varies: 2019-05-13 18:25:58 +0000 UTC 2019-05-14 01:25:58 +0000 UTC k8s.io/apimachinery 5bae42371a56 timestamp varies: 2019-04-30 14:11:24 +0000 UTC 2019-04-30 21:11:24 +0000 UTC k8s.io/apimachinery 63a6072eb563 timestamp varies: 2019-06-02 11:36:12 +0000 UTC 2019-06-02 18:36:12 +0000 UTC k8s.io/client-go 20190528154735 revision varies: 79226fe1949a df931a0dfc8c k8s.io/code-generator b1289fc74931 timestamp varies: 2018-11-28 19:10:24 +0000 UTC 2019-03-01 17:30:42 +0000 UTC sigs.k8s.io/structured-merge-diff 20190302045857 revision varies: e85c7b244fd2 ea680f03cc65b tmthrgd.dev/go/ddns 4f91cdabf141 timestamp varies: 2019-04-30 00:36:47 +0000 UTC 2019-04-30 00:41:04 +0000 UTC ```

[bcmills]

Of the remaining invalid base revisions:

• Two come from replace directives.

  • github.com/census-instrumentation/opencensus-proto v0.1.0-0.20181214143942-ba49f56771b8 comes from github.com/pulumi/tf2pulumi.
  • github.com/cloudwan/ginkgo v1.6.0-0.20190213151947-95174e8d10cd comes from a github.com/cloudwan/gohan.
  • Since replace directives don't affect downstream modules, the damage from these is very limited.

• The bad versions of github.com/containerd/containerd and github.com/docker/docker are from manual edits in github.com/docker/buildx and github.com/moby/buildkit by one or a small number of authors (@tonistiigi in particular).

  • Those are concerning because of the large number of modules with transitive dependencies within the docker ecosystem. It's not obvious to me whether buildx or buildkit are central modules within that ecosystem, but if so we may need to whitelist the specific versions in question.

• The bad version of github.com/modsdemo/v0tags is due to manual testing by @leitzler.

• I could not locate the remainder with a Google or GitHub search. I suspect they are dependencies of non-public modules.

  • gopkg.in/gin-gonic/gin.v1 v1.0.0-0.20170702092826-d459835d2b07
  • github.com/netlify/netlify-commons v0.17.0-0.20190606095701-c4d04dcc126b
  • gopkg.in/bluesuncorp/validator.v5 v5.0.0-0.20150523023324-07cbdd2e6dfd
  • github.com/containers/libpod v1.4.0-0.20190614192453-4a450d55d95f
  • github.com/google/wire v0.3.0-0.20190611223505-93b1ce745f8d
  • I would guess that non-public modules are easier to fix in general than public ones, since they necessarily can't be dependencies of public modules.

[bcmills]

Many of the inconsistent revisions appear in what appear to be smaller-scale forks of larger modules. The long revisions in particular tend to appear in replace directives.

The skewed k8s.io dates in particular tend to be offset by 7 hours. That suggests a bug in a conversion between America/Los_Angeles and UTC, and I'm guessing has something to do with the peculiar way they're using replace directives (see kubernetes/kubernetes#63607; CC @liggitt).

[thepudds]

This seems to at least attempt to use the go command to get the version string for a SHA:

https://github.com/kubernetes/kubernetes/blob/master/hack/pin-dependency.sh#L75

But maybe that is not right, or maybe another script does it incorrectly.

[liggitt]

k8s.io/apimachinery 1f207b29b441
        2019-05-13 18:25:58 +0000 UTC
        2019-05-14 01:25:58 +0000 UTC
k8s.io/apimachinery 5bae42371a56
        2019-04-30 14:11:24 +0000 UTC
        2019-04-30 21:11:24 +0000 UTC
k8s.io/apimachinery 63a6072eb563
        2019-06-02 11:36:12 +0000 UTC
        2019-06-02 18:36:12 +0000 UTC
k8s.io/code-generator b1289fc74931
        2018-11-28 19:10:24 +0000 UTC
        2019-03-01 17:30:42 +0000 UTC

Probably https://github.com/kubernetes/publishing-bot/blob/1481c50c852502b9cccdbcf45fac7352efe72701/artifacts/scripts/util.sh#L882-L884

cc @sttts

[tmthrgd]

tmthrgd.dev/go/ddns is my package, but I've since switched the import path over to go.tmthrgd.dev/ddns. It's a command line tool so I'm certain it never appeared in a go.mod file.

Grepping through my bash history I see the following that line up:

24154  [2019-04-30 10:07:18] GO111MODULE=on go install tmthrgd.dev/go/ddns
24158  [2019-04-30 10:07:46] go install tmthrgd.dev/go/ddns

I believe I was in a $GOPATH/src directory and at the time I had GOPROXY=https://proxy.golang.org set.

These are the go installs I did before and after that time so I was running go1.12.1 at the time (for above go is ~/sdk/go1.12.1/bin/go).

23689  [2019-03-21 16:53:18] go get golang.org/dl/go1.12.1
23690  [2019-03-21 16:53:26] go1.12.1 download
24178  [2019-04-30 15:32:49] go get golang.org/dl/go1.12.4
24180  [2019-04-30 15:33:07] go1.12.4 download

My go env should have looked like this:

$ GOPROXY=https://proxy.golang.org go1.12.1 env
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tom/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/tom/go"
GOPROXY="https://proxy.golang.org"
GORACE=""
GOROOT="/home/tom/sdk/go1.12.1"
GOTMPDIR=""
GOTOOLDIR="/home/tom/sdk/go1.12.1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build145672369=/tmp/go-build -gno-record-gcc-switches"

My timezone is:

$ date +"%Z %z"
ACST +0930

Just for reference this line appears in my bash history and lines up with one of the timestamps:

24152  [2019-04-30 10:06:47] git commit

It was run in the module directory and I have a precommit hook that runs gofmt -l (edit: on individual changed .go files), though I don't know how or why that would affect anything.

I'm happy to provide any more information if needed.

[bcmills]

Confirmed that the v0.0.0-0. entries are due to a bug internal to the Go module proxy, introduced around June 3 and fixed around June 12 (part of the fix for #32461). Hopefully that's a short enough window that those invalid versions are not widespread.

[bcmills]

Looks like the k8s.io issue should be fixed in https://github.com/kubernetes/publishing-bot/issues/186.

[bcmills]

@tmthrgd, thanks for the info. Most likely the error is in some consumer of your module rather than your module itself. (We're still trying to figure out how to investigate the sources of these errors, at least when those sources are other open-source modules.)

[jayconrod]

I did some analysis on whether CL 181881 would break many projects. I found 12 modules out of 1531 analyzed that would be broken. This seems like a small enough number that I think we should proceed with the fix as it is.

---

Methodology

• Started with a list of 5000 frequently imported packages.
• Extracted a list of 1632 modules providing those package. Removed modules with upper case letters in the module paths (sorry, I realized these needed escaping too late, and this would have delayed analysis further. I don't think this reduced coverage too much). 1531 modules were left.
• For each module:
  • Downloaded the latest go.mod file I could find. I mainly used https://proxy.golang.org/<modpath>/@latest to tell me the latest version, then https://proxy.golang.org/<modpath>/@v/<version>.mod to get this. If @latest was not available, I used the last value in https://proxy.golang.org/<modpath>/@v/list for the version.
  • Ran go list -m all with CL 181881 and with Go 1.12.6 for comparison. Both commands were run with GOPROXY=direct. A different GOPATH was used for each Go version, but each GOPATH was shared with all modules to avoid hitting GitHub too hard (I already got rate limited a bit).
  • Logged differences and failures.

---

Findings

I didn't find any modules where the build list was constructed successfully but with differences in both versions of Go.

There were 2 modules where the latest version has an incorrect module path. For example in gopkg.in/gin-gonic/gin.v1@v1.4.0, the module path is github.com/gin-gonic/gin. I skipped these, since the correct name of the module was covered already.

There were 12 modules with new validation errors due to this CL.

github.com/appscode/go
go: github.com/flosch/pongo2@v0.0.0-20181225140029-79872a7b2769 requires
    github.com/go-check/check@v1.0.0-20180628173108-788fd7840127: invalid pseudo-version: major version without preceding tag must be v0, not v1

github.com/cloudflare/cloudflare-go
go: golang.org/x/lint@v0.0.0-20190511005446-959b441ac422: invalid pseudo-version: does not match version-control timestamp (2019-04-09T20:28:23Z)

github.com/dubbo/go-for-apache-dubbo
go: github.com/dubbogo/getty@v0.0.0-20190523180329-bdf5e640ea53: invalid pseudo-version: does not match version-control timestamp (2019-05-23T10:03:29Z)

github.com/flosch/pongo2
go: github.com/go-check/check@v1.0.0-20180628173108-788fd7840127: invalid pseudo-version: major version without preceding tag must be v0, not v1

github.com/go-interpreter/wagon
go: github.com/twitchyliquid64/golang-asm@v0.0.0-20190315094337-365674df15fc: invalid pseudo-version: does not match version-control timestamp (2019-01-26T20:37:39Z)

github.com/jhump/protoreflect
go: google.golang.org/genproto@v0.0.0-20170818100345-ee236bd376b0: invalid pseudo-version: does not match version-control timestamp (2017-08-18T01:03:45Z)

github.com/lightninglabs/neutrino
go: github.com/btcsuite/btcwallet@v0.0.0-20190319010515-89ab2044f962 requires
    github.com/lightninglabs/neutrino@v0.0.0-20190313035638-e1ad4c33fb18 requires
    github.com/btcsuite/btcwallet@v0.0.0-20190313032608-acf3b04b0273 requires
    github.com/lightninglabs/neutrino@v0.0.0-20190213031021-ae4583a89cfb requires
    github.com/btcsuite/btcwallet@v0.0.0-20180904010540-284e2e0e696e33d5be388f7f3d9a26db703e0c06: invalid pseudo-version: revision is longer than canonical (284e2e0e696e)

github.com/ltcsuite/ltcd
go: github.com/ltcsuite/ltcutil@v0.0.0-20190507082654-23cdfa9fcc3d: invalid pseudo-version: does not match version-control timestamp (2019-05-07T13:33:22Z)

github.com/tonistiigi/fsutil
go: golang.org/x/crypto@v0.0.0-20190129210102-0709b304e793: invalid pseudo-version: does not match version-control timestamp (2018-09-04T16:38:35Z)

gomodules.xyz/cert
go: github.com/appscode/go@v0.0.0-20190424183524-60025f1135c9 requires
    github.com/flosch/pongo2@v0.0.0-20181225140029-79872a7b2769 requires
    github.com/go-check/check@v1.0.0-20180628173108-788fd7840127: invalid pseudo-version: major version without preceding tag must be v0, not v1

kmodules.xyz/client-go
go: github.com/appscode/go@v0.0.0-20190424183524-60025f1135c9 requires
    github.com/flosch/pongo2@v0.0.0-20181225140029-79872a7b2769 requires
    github.com/go-check/check@v1.0.0-20180628173108-788fd7840127: invalid pseudo-version: major version without preceding tag must be v0, not v1

kmodules.xyz/offshoot-api
go: kmodules.xyz/client-go@v0.0.0-20190524133821-9c8a87771aea requires
    github.com/appscode/go@v0.0.0-20190424183524-60025f1135c9 requires
    github.com/flosch/pongo2@v0.0.0-20181225140029-79872a7b2769 requires
    github.com/go-check/check@v1.0.0-20180628173108-788fd7840127: invalid pseudo-version: major version without preceding tag must be v0, not v1

I was happy not to see any problems with invalid +incompatible versions. Several modules require github.com/pierrec/lz4 v2.0.5+incompatible, which is the last valid version.

[thepudds]

Maybe this is unrelated, but posting here for now in case it is related.

Getting k8s.io/kubernetes at master then k8s.io/api at master fails with gotip complaining about unknown revision v0.0.0, but same steps work with Go 1.12.6 without error.

go get golang.org/dl/gotip && gotip download

export GOPROXY=direct
export GOSUMDB=off
export GOPATH=$(mktemp -d)
cd $(mktemp -d)

gotip mod init m
gotip get -v -d k8s.io/kubernetes@master    # current master: 8c3b7d7679cc
gotip get -v -d k8s.io/api@master           # current master: dcce3486da33

which fails with:

go: extracting k8s.io/api v0.0.0-20190620073856-dcce3486da33
go: downloading k8s.io/api v0.0.0
go get k8s.io/api@master: unknown revision v0.0.0

mod graph says:

gotip mod graph | egrep 'k8s.io/api@v0.0.0$' 
k8s.io/kubernetes@v1.16.0-alpha.0.0.20190623232353-8c3b7d7679cc k8s.io/api@v0.0.0

gotip is devel +c290cb6 Sun Jun 23 22:20:39 2019 +0000 linux/amd64.

[thepudds]

The bad versions of github.com/containerd/containerd and github.com/docker/docker [...]

Those are concerning because of the large number of modules with transitive dependencies within the docker ecosystem. It's not obvious to me whether buildx or buildkit are central modules within that ecosystem, but if so we may need to whitelist the specific versions in question.

Probably not a surprise, but cloning docker, then doing mod init followed by mod tidy fails with tip:

export GOPROXY=direct
export GOSUMDB=off
export GOPATH=$(mktemp -d)

git clone --depth=1 https://github.com/docker/docker
cd docker
gotip mod init
gotip mod tidy

which fails with:

go: github.com/moby/buildkit@v0.5.2-0.20190611004307-c24275065aca requires
        github.com/containerd/containerd@v1.3.0-0.20190426060238-3a3f0aac8819: 
        invalid pseudo-version: version before v1.3.0 would have negative patch number

Those steps pass with Go 1.12.6.

[gopherbot]

Change https://golang.org/cl/183618 mentions this issue: cmd/go/internal/modfetch: treat a missing go.mod file as a “not exist” error

[gopherbot]

Change https://golang.org/cl/183619 mentions this issue: cmd/go/internal/modfetch: return structured errors from proxy operations

[bcmills]

@thepudds, I don't know why go1.12.6 doesn't detect the error in k8s.io/kubernetes, but gotip is correct to fail that sequence.

k8s.io/kubernetes requires k8s.io/api v0.0.0 here. There is no such version of k8s.io/api tagged, and because the repo doesn't have any semver-style tags, v0.0.0- is the correct pseudo-version prefix for its commits.

As far as I can tell, because k8s.io/kubernetes relies so heavily on replace directives to pin its dependencies it can only be built in module mode if it is the main module, or if the main module replicates its replace directives more-or-less exactly.

[gopherbot]

Change https://golang.org/cl/184720 mentions this issue: cmd/go: tighten the check for pseudo-version base tags