cmd/go: include vcs revision in module .info files

Question

cmd/go: include vcs revision in module .info files

seankhliao opened this issue 5 years ago · 7 comments

It would be nice to have a way to tell which revision the proxy saw when it got a version from upstream. While this information isn't needed most of the time, it is helpful in debugging sum mismatches / moved tags. Currently to do so we can only download from both upstream and the proxy and diff the directories.

Answer 1 · 2021-03-02T20:16:08.000Z

proxy.golang.org just forwards on the .info files generated by the go command.

cc @jayconrod @bcmills

Answer 2 · 2021-03-02T21:03:17.000Z

It wouldn't be too hard to add optional fields to .info files.

But I should point out that these files aren't authenticated, and it's possible they can change over time or be reported differently by different proxies. I think the go command would have to ignore this information when reporting security errors.

cc @matloob as well.

Answer 3 · 2021-03-02T21:10:06.000Z

I agree they shouldn't be considered for reporting security errors just for humans identifying issues, I don't think the information would be reliably available either (old versions, mod as vcs)

Answer 4 · 2021-05-25T14:24:22.000Z

It would be easier to investigate issues like #46348 if the vcs revision info was available.

Answer 5 · 2022-06-02T04:44:13.000Z

I agree, this would make life a lot easier than e.g the steps that I had to take here:

argoproj/argo-rollouts#2065 (comment)

Which took about 1-2 hours of troubleshooting to pin down. Maybe someone who is more familiar would be faster but that was not me. In particular the Go command abstracts a lot and cleans up downloaded files, so it's not easy to verify, what is the proxy URL being hit, what is the command being run to fetch data from the upstream, etc.

Answer 6 · 2022-07-06T13:04:14.000Z

Did #53644 solve this? In particular, see: https://go-review.googlesource.com/c/go/+/411397

Answer 7 · 2022-08-10T16:52:09.000Z

This is done. If you run with GOPROXY=off you will see them in all your info files that come from git.
If you are using a proxy then it depends on what the proxy serves.
By default Go uses proxy.golang.org, which serves the vcs info in info files it has gathered since Go 1.19 was released.
For example: https://proxy.golang.org/golang.org/x/build/@v/v0.0.0-20220810151148-671cb44b90c4.info
Older info files known to the proxy have not been refreshed, so you will see a mix of with and without vcs that way.