-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommended Go 1.16 Workflow #5213
Comments
@catenacyber - can you help us on this. |
Looking into it |
@catenacyber happy to help if you run into any issues making |
Thanks @mvdan help is welcome indeed. Here is what I have. Other fix is to run The problem is Last fix would be to change the projects builds scripts so that they use |
I think that's fine as a temporary workaround, if nothing else to get a fix to master as soon as possible. But, like you say, it's only a temporary workaround.
I think So I personally think that initializing a dummy module should be avoided. We should just use the project's own The issue then becomes "how to download the module source code to run go-fuzz in it", like you say below:
One option, like you say, is to directly use a VCS command like -- Another option, if you want to avoid this disconnect between module path and VCS URL, is to ask Go to download the module into its cache, and use that:
The above is just an example. You could use any other module, as well as any other version like a git ref ( Note that this directory contains the entire module at the version one chooses, but no VCS information like the That example with |
@catenacyber - i like the use of git clone. we have 40 of these, any easy way you can please help with a cl to migrate these. all of these go projects are broken which is pretty bad :( |
It used to work in both cases (inside and outside) and different projects used the different ways
Not every project has a a go.mod (gonids for instance) So I would like to avoid a solution where there is a need to change many projects build.sh
|
You need the
Those can keep using
Hopefully that kind of variance should no longer be necessary with modules. |
Thanks
|
I should have clarified; the You do need a temporary module to download the module, in that case, because We can work around that with a temporary module and a mix of
By the way, note that |
Indeed it works for gopacket, thanks for the explanation...
So, not sure what is best here... |
Ah, right, I was not aware that you want to run the script entirely offline. The module cache can store many versions for each module, unlike GOPATH, which only supports storing a single version per module/package. This is why the second I see two options; I'm going to use
Note that the first argument to
Here, the first argument to |
I think I'd pick the first option, just for the sake of simplicity; I think adding an extra temporary module could confuse some users. Plus, having the entire VCS clone is closer to what the old GOPATH method did, so it's less likely to break users. |
Prometheus maintainer here - to be clear, do we need to do something to fix our build? |
@roidelapluie this should get fixed with #5228 without changing anything to prometheus (nor its definition in oss-fuzz) @mvdan |
Indeed. The old scripts were depending on GOPATH-specific behavior, so I don't think there's a way to avoid that. The good news is that the GOPATH vs modules breakage is unlikely to happen again anytime soon :) |
The problem looks to me that |
Right. In the old GOPATH world, |
@mvdan syzkaller build has a specific error :
Do you know about it since your name shows up in it ? |
My guess is that upstream had to run |
|
In general, It should be noted that it's upstreams who should be fixing these problems, though. You having to run either of those commands should only be a temporary workaround. |
This is syzkaller project I guess this is the same for teleport project (the error message is the same) |
@catenacyber yeah, as expected, the syzkaller project just has an out of date go.mod/go.sum/vendor. I've sent google/syzkaller#2459 to fix it. The same should be done with other projects, I think. The alternative is to run |
Thanks for he syzkaller patch. |
it should be something like:
Note that some projects, like syzkaller, require generating code before |
Thanks @mvdan |
The Go setup-up guide (https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#dockerfile) recommends using
go get
to install a project. Since Go 1.16 this doesn't work any more, since packages are not installed in theGOPATH
any more.On the other hand,
compile_go_fuzzer
expects the code to be located in/root/src/go/<DIRECTORY>
, and doesn't even allow using an absolute path.What's the recommended way to set up a Go project now? Should we manually create the directory structure that Go with
GOPATH
enabled would have created? Or are some changes tocompile_go_fuzzer
coming?The text was updated successfully, but these errors were encountered: