Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document Go version policy #1225

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

sudo-bmitch
Copy link
Contributor

Fixes #899.

Copy link

@rchincha rchincha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

... we don't want to fall too behind; cve fixes etc!

@sudo-bmitch
Copy link
Contributor Author

lgtm

... we don't want to fall too behind; cve fixes etc!

CVE fixes would apply to projects using the spec, rather than the spec itself. I don't expect we'll see Go CVEs in the implementation of structs.

tianon
tianon previously approved these changes Dec 12, 2024
Copy link
Member

@tianon tianon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- because we're a library, us staying conservative allows consumers to make the tradeoffs they need to (https://research.swtch.com/vgo-mvs) without being forced by us to change, and I think this policy is reasonably conservative even if we do have a compelling technical reason in the future to bump beyond 1.18 as a minimum. 👍

go.mod Outdated
// The minimum Go release is only incremented when required by a feature.
// At least 3 Go releases will be supported by the spec.
// For example, updating this version to 1.19 first requires Go 1.21 to be released.
// Update actions in .github/workflows when changing this version.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I bet we could get clever with somehow swapping from go-version: to go-version-file: for that leg of our GHA matrix to avoid this 🤔

Copy link
Member

@tianon tianon Dec 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out it was really easy, and actions/setup-go has stable and oldstable aliases that match our intent there too, so we'd not need to bump them again: tianon/go-progress@1e3b16c 😂

(This is orthogonal though, so I can make a separate PR; Edit: done: #1229)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not completely orthogonal. With that change to GHA, we no longer needed this line.

@rchincha
Copy link

lgtm
... we don't want to fall too behind; cve fixes etc!

CVE fixes would apply to projects using the spec, rather than the spec itself. I don't expect we'll see Go CVEs in the implementation of structs.

Well, we don't export structs alone separately, and this project has a go.mod
https://github.com/opencontainers/image-spec/blob/main/go.mod ... so

@tianon
Copy link
Member

tianon commented Dec 13, 2024

As described in https://research.swtch.com/vgo-mvs, because we're just a library (no binaries / "main" packages here), our go.mod only specifies the minimum version required for using our code. Thus, specifying higher versions more proactively is the responsibility of consumers of our library, not us.

Signed-off-by: Brandon Mitchell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Declare supported Go versions
3 participants