Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linting and Code Scanning #178

Closed
wants to merge 55 commits into from
Closed

Conversation

faddat
Copy link
Contributor

@faddat faddat commented Mar 15, 2023

note

This PR addresses a number of code quality issues.

Per @fragwuerdig request, it no longer contains other PRs and is a freestanding PR into the main branch that lints it.

changes

  • add code quality tooling that was removed by l1 team
  • begin cleanup (again). Linting makes issues more obvious, gives them fewer places to hide
  • Delete CODEOWNERS
  • fix
  • continue cleaning
  • 144 quality issues that were resolved motnhs ago to re-resolve before can confidently debug
  • 135 code quality issues that were resolved motnhs ago to re-resolve before can confidently debug
  • 107 lint issssues I fixed months ago remaining
  • 93 lint issues fixed months ago remaining
  • 89 lint issues fixed months ago remaining
  • 82 lint issues fixed months ago remaining
  • 58 lint issues I fixed months ago remaining
  • 28 lint issues that I fixed months ago, which were readded to the repo for no reason, remanining
  • there. Now we are back where we were 3 months ago.
  • 100%
  • go install
  • linted
  • fix test_utils.go
  • remove exclusions
  • don't use deprecated

Static Analysis

  • codeql added
  • codacy added

Summary of changes

This PR lints the codebase so that issues can be discovered more easily. For
example, the testnet code in the cmd folder was using a deprecated call.

It also introduces a set of tooling that increases the rigor of automated testing.

Report of required housekeeping

  • Github issue OR spec proposal link
  • Wrote tests
  • Updated API documentation (client/lcd/swagger-ui/swagger.yaml)
  • Added a relevant changelog entry: clog add [section] [stanza] [message]

(FOR ADMIN) Before merging

  • Added appropriate labels to PR
  • Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)
  • Confirm added tests are consistent with the intended behavior of changes
  • Ensure all tests pass

faddat and others added 30 commits March 1, 2023 14:37
@faddat faddat changed the title Lint in advance of v3 for easier comprehension Linting and Code Scanning Mar 18, 2023
@nghuyenthevinh2000
Copy link
Contributor

@nghuyenthevinh2000 this is a screenshot of the main branch bud

the current workflow does not work

commit is:

ff2e40b

Screenshot 2023-03-19 at 2 19 37 AM

there is only one failing and it is docker hub authorization. Also on: ff2e40b

Screenshot 2023-03-19 at 02 24 44

The reason for liveness test existence:

For a distributed system, the FLP theorem dictates properties of a consensus network

  • Agreement: All correct nodes decide for the same value.
  • Termination: All non-faulty processes eventually decide on a value in finite time.
  • Validity: The decision value must be the input value of a node.

liveness test is an overall attack on FLP theorem by randomly shut down nodes.

Lemma 16.13. If a configuration tree contains a critical configuration, crashing
a single node can create a bivalent leaf; i.e., a crash prevents the algorithm from
reaching agreement.

More information here: https://disco.ethz.ch/courses/hs21/distsys/lnotes/chapter16.pdf

@nghuyenthevinh2000
Copy link
Contributor

https://github.com/rokroskar/workflow-run-cleanup-action seems to be deprecated, precise change to this is needed

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

The maintainers are allowed to push to this branch, you know.

I do think it is a very significant improvement in many areas.

Please feel welcome to fix the liveness test, I've brought it back.

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

Should really not have big red X on main. I'm going to kinda just step back.

ikyk I know what the liveness test is.

Do refactor go.mod, I've never seen anything like its current state anywhere before.

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

@nghuyenthevinh2000 you mean, it's been deprecated for months and months and months, and no one checked?

yeah welcome to my world.

good job checking.

Those files were last edited 19 months ago.

@nghuyenthevinh2000
Copy link
Contributor

Tobias choice for golang 1.18 over newer go version seems due to practice in banking: "If it ain’t broke, don’t fix it"

https://www.tpr.org/technology-entrepreneurship/2019-05-23/how-cobol-still-powers-the-global-economy-at-60-years-old

The COBOL language has been powering the banking system for too long time but it is stable.

If we apply this context to Terra - Classic, a system meant to be durable like banking, current go 1.18 is functioning and best not to touch it. Moving version upward introduces potential break.

Of course, not moving go version upward is not a good choice also. It is best to leave the choice of go version in upgrade tesnet phase. The current phase is development.

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

done with this for now, you have access to push to this branch, so, feel free to smooth whatever you'd like.

@nghuyenthevinh2000
Copy link
Contributor

done with this for now, you have access to push to this branch, so, feel free to smooth whatever you'd like.

thanks, I will have a look

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

Final thought -- l1tf -- supposed to maintain the chain.

The idea that this is out of scope, seems rather.... bad.

Either redefine the scope or announce you're not really maintaining the chain (obvs I recommend that you actually do maintainership work)

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

@nghuyenthevinh2000 sir, when google deprecates a language runtime really, really early, they have reasons for doing it.

I make changes like those, following google's advice, because:

  • google makes golang
  • google is better resourced than notional
  • google has some of the world's brightest software engineers

I understand that Tobias thinks he knows better, but for real:

Check the CVE's 🖖

(no seriously man check them)

good place to begin the research journey:

Golang is not cobol. It is a garbage collected, type safe system with a full network stack in the standard library <- bolded for emphasis

If the authors of COBOL said "don't use this version of cobol, we don't recommend it, it might shoot your dog, here are two supported versions of COBOL"

... would it make even an iota of sense to use the version of cobol where the actual authors are telling you that it could shoot your dog?

Additionally, the version of the language runtime is most certainly NOT the only thing I changed in #179.

I will reopen it. You should review it. While reviewing look at the present state of go.mod, and look at the replaces. Then look for deprecations among them.

Same situation. Deprecated code, is the authors telling you "don't use this, it could shoot your dog". Currently the replace section of go.mod is chock full of deprecated software.

@nghuyenthevinh2000 I tried to reopen my go.mod PR just now but there are a bunch of conflicts. Please feel free to use this:

go 1.20

module github.com/classic-terra/core

require (
	github.com/CosmWasm/wasmvm v0.16.7
	github.com/cosmos/cosmos-sdk v0.45.13
	github.com/cosmos/gogoproto v1.4.6
	github.com/cosmos/ibc-go v1.3.1
	github.com/gogo/protobuf v1.3.3
	github.com/golang/protobuf v1.5.2
	github.com/google/gofuzz v1.2.0
	github.com/gorilla/mux v1.8.0
	github.com/grpc-ecosystem/grpc-gateway v1.16.0
	github.com/pkg/errors v0.9.1
	github.com/rakyll/statik v0.1.7
	github.com/spf13/cast v1.5.0
	github.com/spf13/cobra v1.6.1
	github.com/spf13/pflag v1.0.5
	github.com/stretchr/testify v1.8.1
	github.com/tendermint/tendermint v0.34.24
	github.com/tendermint/tm-db v0.6.7
	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f
	google.golang.org/grpc v1.53.0
	gopkg.in/yaml.v2 v2.4.0
)

require (
	filippo.io/edwards25519 v1.0.0-beta.2 // indirect
	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
	github.com/99designs/keyring v1.1.6 // indirect
	github.com/ChainSafe/go-schnorrkel v0.0.0-20200405005733-88cbf1b4c40d // indirect
	github.com/Workiva/go-datastructures v1.0.53 // indirect
	github.com/armon/go-metrics v0.4.0 // indirect
	github.com/beorn7/perks v1.0.1 // indirect
	github.com/bgentry/speakeasy v0.1.1-0.20220910012023-760eaf8b6816 // indirect
	github.com/btcsuite/btcd v0.22.2 // indirect
	github.com/cespare/xxhash v1.1.0 // indirect
	github.com/cespare/xxhash/v2 v2.1.2 // indirect
	github.com/coinbase/rosetta-sdk-go v0.7.0 // indirect
	github.com/confio/ics23/go v0.9.0 // indirect
	github.com/cosmos/btcutil v1.0.4 // indirect
	github.com/cosmos/go-bip39 v1.0.0 // indirect
	github.com/cosmos/gorocksdb v1.2.0 // indirect
	github.com/cosmos/iavl v0.19.5 // indirect
	github.com/cosmos/ledger-cosmos-go v0.12.2 // indirect
	github.com/cosmos/ledger-go v0.9.2 // indirect
	github.com/creachadair/taskgroup v0.3.2 // indirect
	github.com/danieljoos/wincred v1.1.2 // indirect
	github.com/davecgh/go-spew v1.1.1 // indirect
	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
	github.com/dgraph-io/ristretto v0.0.3 // indirect
	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
	github.com/dustin/go-humanize v1.0.0 // indirect
	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
	github.com/felixge/httpsnoop v1.0.2 // indirect
	github.com/fsnotify/fsnotify v1.6.0 // indirect
	github.com/go-kit/kit v0.12.0 // indirect
	github.com/go-kit/log v0.2.1 // indirect
	github.com/go-logfmt/logfmt v0.5.1 // indirect
	github.com/gobwas/ws v1.1.0 // indirect
	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
	github.com/gogo/gateway v1.1.0 // indirect
	github.com/golang/snappy v0.0.4 // indirect
	github.com/google/btree v1.0.1 // indirect
	github.com/google/go-cmp v0.5.9 // indirect
	github.com/google/orderedcode v0.0.1 // indirect
	github.com/gorilla/handlers v1.5.1 // indirect
	github.com/gorilla/websocket v1.5.0 // indirect
	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
	github.com/gtank/merlin v0.1.1 // indirect
	github.com/gtank/ristretto255 v0.1.2 // indirect
	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
	github.com/hashicorp/golang-lru v0.5.5-0.20210104140557-80c98217689d // indirect
	github.com/hashicorp/hcl v1.0.0 // indirect
	github.com/hdevalence/ed25519consensus v0.0.0-20210204194344-59a8610d2b87 // indirect
	github.com/improbable-eng/grpc-web v0.14.1 // indirect
	github.com/inconshreveable/mousetrap v1.0.1 // indirect
	github.com/jmhodges/levigo v1.0.0 // indirect
	github.com/klauspost/compress v1.15.13 // indirect
	github.com/lib/pq v1.10.6 // indirect
	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
	github.com/magiconair/properties v1.8.6 // indirect
	github.com/mattn/go-colorable v0.1.13 // indirect
	github.com/mattn/go-isatty v0.0.16 // indirect
	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
	github.com/mimoo/StrobeGo v0.0.0-20210601165009-122bf33a46e0 // indirect
	github.com/minio/highwayhash v1.0.2 // indirect
	github.com/mitchellh/mapstructure v1.5.0 // indirect
	github.com/mtibben/percent v0.2.1 // indirect
	github.com/pelletier/go-toml v1.9.5 // indirect
	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
	github.com/pmezard/go-difflib v1.0.0 // indirect
	github.com/prometheus/client_golang v1.14.0 // indirect
	github.com/prometheus/client_model v0.3.0 // indirect
	github.com/prometheus/common v0.37.0 // indirect
	github.com/prometheus/procfs v0.8.0 // indirect
	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
	github.com/regen-network/cosmos-proto v0.3.1 // indirect
	github.com/rs/cors v1.8.2 // indirect
	github.com/rs/zerolog v1.27.0 // indirect
	github.com/sasha-s/go-deadlock v0.3.1 // indirect
	github.com/spf13/afero v1.9.2 // indirect
	github.com/spf13/jwalterweatherman v1.1.0 // indirect
	github.com/spf13/viper v1.14.0 // indirect
	github.com/subosito/gotenv v1.4.1 // indirect
	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
	github.com/tendermint/go-amino v0.16.0 // indirect
	github.com/tidwall/btree v1.5.0 // indirect
	github.com/zondax/hid v0.9.1 // indirect
	go.etcd.io/bbolt v1.3.6 // indirect
	golang.org/x/crypto v0.5.0 // indirect
	golang.org/x/exp v0.0.0-20230131160201-f062dba9d201 // indirect
	golang.org/x/net v0.7.0 // indirect
	golang.org/x/sys v0.5.0 // indirect
	golang.org/x/term v0.5.0 // indirect
	golang.org/x/text v0.7.0 // indirect
	google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 // indirect
	gopkg.in/ini.v1 v1.67.0 // indirect
	gopkg.in/yaml.v3 v3.0.1 // indirect
	nhooyr.io/websocket v1.8.7 // indirect
)

// the sdk's mandatory replaces
replace (
	// use cosmos fork of keyring
	github.com/99designs/keyring => github.com/cosmos/keyring v1.2.0
	// dgrijalva/jwt-go is deprecated and doesn't receive security updates.
	// TODO: remove it: https://github.com/cosmos/cosmos-sdk/issues/13134
	github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 v4.4.2

	// Fix upstream GHSA-h395-qcrw-5vmq vulnerability.
	// TODO Remove it: https://github.com/cosmos/cosmos-sdk/issues/10409
	github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.8.1

	// Use regen gogoproto fork
	// This for is replaced by cosmos/gogoproto in future versions
	github.com/gogo/protobuf => github.com/regen-network/protobuf v1.3.3-alpha.regen.1

	// use a secure protoreflect version
	github.com/jhump/protoreflect => github.com/jhump/protoreflect v1.9.0

	// use grpc compatible with regen gogoproto fork
	google.golang.org/grpc => google.golang.org/grpc v1.33.2
)

// replaces that lunc needs
replace (
	// use fork of cosmos-sdk with lunc's changes
	github.com/cosmos/cosmos-sdk => github.com/classic-terra/cosmos-sdk v0.45.13-classic
	// use a ledger library that uses coin-type 330
	github.com/cosmos/ledger-cosmos-go => github.com/terra-money/ledger-terra-go v0.11.2 // TODO: bring this up to date with github.com/cosmos-ledger-cosmos-go
	// use a version of tendermint that is patched for lunc
	github.com/tendermint/tendermint => github.com/classic-terra/tendermint v0.34.24-terra.0 // TODO: minimum safe version of tendermint is v0.34.26, see release notes at https://github.com/informalsystems/tendermint
)

@faddat
Copy link
Contributor Author

faddat commented Mar 18, 2023

  • Code scanning results / Spectral (reported by Codacy) Successful in 26s — 1,215 new alerts
  • Code scanning results / Jshint (reported by Codacy) Successful in 27s — 5,000 new alerts
  • Code scanning results / CodeQL Successful in 5s — 53 new alerts, 4 fixes
  • Code scanning results / Pylint (reported by Codacy) Successful in 24s — 89 new alerts

@faddat
Copy link
Contributor Author

faddat commented Mar 19, 2023

https://openssf.org/

@ZaradarBH ZaradarBH added Value-Add and removed enhancement New feature or request labels Mar 19, 2023
@ZaradarBH
Copy link
Contributor

ZaradarBH commented Mar 20, 2023

#> @nghuyenthevinh2000 sir, when google deprecates a language runtime really, really early, they have reasons for doing it.

I make changes like those, following google's advice, because:

  • google makes golang
  • google is better resourced than notional
  • google has some of the world's brightest software engineers

I understand that Tobias thinks he knows better, but for real:

Check the CVE's 🖖

(no seriously man check them)

good place to begin the research journey:

Golang is not cobol. It is a garbage collected, type safe system with a full network stack in the standard library <- bolded for emphasis

If the authors of COBOL said "don't use this version of cobol, we don't recommend it, it might shoot your dog, here are two supported versions of COBOL"

... would it make even an iota of sense to use the version of cobol where the actual authors are telling you that it could shoot your dog?

Additionally, the version of the language runtime is most certainly NOT the only thing I changed in #179.

I will reopen it. You should review it. While reviewing look at the present state of go.mod, and look at the replaces. Then look for deprecations among them.

Same situation. Deprecated code, is the authors telling you "don't use this, it could shoot your dog". Currently the replace section of go.mod is chock full of deprecated software.

@nghuyenthevinh2000 I tried to reopen my go.mod PR just now but there are a bunch of conflicts. Please feel free to use this:

go 1.20

module github.com/classic-terra/core

require (
	github.com/CosmWasm/wasmvm v0.16.7
	github.com/cosmos/cosmos-sdk v0.45.13
	github.com/cosmos/gogoproto v1.4.6
	github.com/cosmos/ibc-go v1.3.1
	github.com/gogo/protobuf v1.3.3
	github.com/golang/protobuf v1.5.2
	github.com/google/gofuzz v1.2.0
	github.com/gorilla/mux v1.8.0
	github.com/grpc-ecosystem/grpc-gateway v1.16.0
	github.com/pkg/errors v0.9.1
	github.com/rakyll/statik v0.1.7
	github.com/spf13/cast v1.5.0
	github.com/spf13/cobra v1.6.1
	github.com/spf13/pflag v1.0.5
	github.com/stretchr/testify v1.8.1
	github.com/tendermint/tendermint v0.34.24
	github.com/tendermint/tm-db v0.6.7
	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f
	google.golang.org/grpc v1.53.0
	gopkg.in/yaml.v2 v2.4.0
)

require (
	filippo.io/edwards25519 v1.0.0-beta.2 // indirect
	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
	github.com/99designs/keyring v1.1.6 // indirect
	github.com/ChainSafe/go-schnorrkel v0.0.0-20200405005733-88cbf1b4c40d // indirect
	github.com/Workiva/go-datastructures v1.0.53 // indirect
	github.com/armon/go-metrics v0.4.0 // indirect
	github.com/beorn7/perks v1.0.1 // indirect
	github.com/bgentry/speakeasy v0.1.1-0.20220910012023-760eaf8b6816 // indirect
	github.com/btcsuite/btcd v0.22.2 // indirect
	github.com/cespare/xxhash v1.1.0 // indirect
	github.com/cespare/xxhash/v2 v2.1.2 // indirect
	github.com/coinbase/rosetta-sdk-go v0.7.0 // indirect
	github.com/confio/ics23/go v0.9.0 // indirect
	github.com/cosmos/btcutil v1.0.4 // indirect
	github.com/cosmos/go-bip39 v1.0.0 // indirect
	github.com/cosmos/gorocksdb v1.2.0 // indirect
	github.com/cosmos/iavl v0.19.5 // indirect
	github.com/cosmos/ledger-cosmos-go v0.12.2 // indirect
	github.com/cosmos/ledger-go v0.9.2 // indirect
	github.com/creachadair/taskgroup v0.3.2 // indirect
	github.com/danieljoos/wincred v1.1.2 // indirect
	github.com/davecgh/go-spew v1.1.1 // indirect
	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
	github.com/dgraph-io/ristretto v0.0.3 // indirect
	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
	github.com/dustin/go-humanize v1.0.0 // indirect
	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
	github.com/felixge/httpsnoop v1.0.2 // indirect
	github.com/fsnotify/fsnotify v1.6.0 // indirect
	github.com/go-kit/kit v0.12.0 // indirect
	github.com/go-kit/log v0.2.1 // indirect
	github.com/go-logfmt/logfmt v0.5.1 // indirect
	github.com/gobwas/ws v1.1.0 // indirect
	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
	github.com/gogo/gateway v1.1.0 // indirect
	github.com/golang/snappy v0.0.4 // indirect
	github.com/google/btree v1.0.1 // indirect
	github.com/google/go-cmp v0.5.9 // indirect
	github.com/google/orderedcode v0.0.1 // indirect
	github.com/gorilla/handlers v1.5.1 // indirect
	github.com/gorilla/websocket v1.5.0 // indirect
	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
	github.com/gtank/merlin v0.1.1 // indirect
	github.com/gtank/ristretto255 v0.1.2 // indirect
	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
	github.com/hashicorp/golang-lru v0.5.5-0.20210104140557-80c98217689d // indirect
	github.com/hashicorp/hcl v1.0.0 // indirect
	github.com/hdevalence/ed25519consensus v0.0.0-20210204194344-59a8610d2b87 // indirect
	github.com/improbable-eng/grpc-web v0.14.1 // indirect
	github.com/inconshreveable/mousetrap v1.0.1 // indirect
	github.com/jmhodges/levigo v1.0.0 // indirect
	github.com/klauspost/compress v1.15.13 // indirect
	github.com/lib/pq v1.10.6 // indirect
	github.com/libp2p/go-buffer-pool v0.1.0 // indirect
	github.com/magiconair/properties v1.8.6 // indirect
	github.com/mattn/go-colorable v0.1.13 // indirect
	github.com/mattn/go-isatty v0.0.16 // indirect
	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
	github.com/mimoo/StrobeGo v0.0.0-20210601165009-122bf33a46e0 // indirect
	github.com/minio/highwayhash v1.0.2 // indirect
	github.com/mitchellh/mapstructure v1.5.0 // indirect
	github.com/mtibben/percent v0.2.1 // indirect
	github.com/pelletier/go-toml v1.9.5 // indirect
	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
	github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
	github.com/pmezard/go-difflib v1.0.0 // indirect
	github.com/prometheus/client_golang v1.14.0 // indirect
	github.com/prometheus/client_model v0.3.0 // indirect
	github.com/prometheus/common v0.37.0 // indirect
	github.com/prometheus/procfs v0.8.0 // indirect
	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
	github.com/regen-network/cosmos-proto v0.3.1 // indirect
	github.com/rs/cors v1.8.2 // indirect
	github.com/rs/zerolog v1.27.0 // indirect
	github.com/sasha-s/go-deadlock v0.3.1 // indirect
	github.com/spf13/afero v1.9.2 // indirect
	github.com/spf13/jwalterweatherman v1.1.0 // indirect
	github.com/spf13/viper v1.14.0 // indirect
	github.com/subosito/gotenv v1.4.1 // indirect
	github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
	github.com/tendermint/go-amino v0.16.0 // indirect
	github.com/tidwall/btree v1.5.0 // indirect
	github.com/zondax/hid v0.9.1 // indirect
	go.etcd.io/bbolt v1.3.6 // indirect
	golang.org/x/crypto v0.5.0 // indirect
	golang.org/x/exp v0.0.0-20230131160201-f062dba9d201 // indirect
	golang.org/x/net v0.7.0 // indirect
	golang.org/x/sys v0.5.0 // indirect
	golang.org/x/term v0.5.0 // indirect
	golang.org/x/text v0.7.0 // indirect
	google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 // indirect
	gopkg.in/ini.v1 v1.67.0 // indirect
	gopkg.in/yaml.v3 v3.0.1 // indirect
	nhooyr.io/websocket v1.8.7 // indirect
)

// the sdk's mandatory replaces
replace (
	// use cosmos fork of keyring
	github.com/99designs/keyring => github.com/cosmos/keyring v1.2.0
	// dgrijalva/jwt-go is deprecated and doesn't receive security updates.
	// TODO: remove it: https://github.com/cosmos/cosmos-sdk/issues/13134
	github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 v4.4.2

	// Fix upstream GHSA-h395-qcrw-5vmq vulnerability.
	// TODO Remove it: https://github.com/cosmos/cosmos-sdk/issues/10409
	github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.8.1

	// Use regen gogoproto fork
	// This for is replaced by cosmos/gogoproto in future versions
	github.com/gogo/protobuf => github.com/regen-network/protobuf v1.3.3-alpha.regen.1

	// use a secure protoreflect version
	github.com/jhump/protoreflect => github.com/jhump/protoreflect v1.9.0

	// use grpc compatible with regen gogoproto fork
	google.golang.org/grpc => google.golang.org/grpc v1.33.2
)

// replaces that lunc needs
replace (
	// use fork of cosmos-sdk with lunc's changes
	github.com/cosmos/cosmos-sdk => github.com/classic-terra/cosmos-sdk v0.45.13-classic
	// use a ledger library that uses coin-type 330
	github.com/cosmos/ledger-cosmos-go => github.com/terra-money/ledger-terra-go v0.11.2 // TODO: bring this up to date with github.com/cosmos-ledger-cosmos-go
	// use a version of tendermint that is patched for lunc
	github.com/tendermint/tendermint => github.com/classic-terra/tendermint v0.34.24-terra.0 // TODO: minimum safe version of tendermint is v0.34.26, see release notes at https://github.com/informalsystems/tendermint
)

Afaik 1.18 is not deprecated. Google simply released newer versions with more features and they are naturally trying to nudge people to upgrade. This is however a never ending cycle of big vendors pushing innovations and enterprise wanting stability/predictability. Thus MS is now offering up .NET 7 which is actually a merge of .NET Classic and their new cross platform .NET framework that allows enterprise, which did not upgrade from .NET classic due to the above reasoning, to run their application code on a unified framework. In the same way Google will keep the lights on for Go 1.18 for as long as there is a market demand for it and my personal view is that given that 1.18 was released on March 15, 2022 @ https://go.dev/blog/go1.18 it is highly unlikely that the framework release version will not be supported for 3 - 5 years as is the standard in enterprise IT.

Copy link
Contributor

@ZaradarBH ZaradarBH left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You will need to merge conflicts from the other PRs and I think there is some overlap to your other PRs.

@@ -0,0 +1,35 @@
version: 2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my other comment about dependabot

@@ -0,0 +1,37 @@
---
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are in the process of building a new CI/CD pipeline. So most of the assets will most likely end up being deprecated

@fragwuerdig
Copy link
Collaborator

fragwuerdig commented Mar 20, 2023

@ZaradarBH https://endoflife.date/go

IMG_20230320_172955

However, I found no official sources on go 1.18 deprecation... (Like, from Google)

Wikipedia says it's deprecated too.

@ZaradarBH
Copy link
Contributor

@ZaradarBH https://endoflife.date/go

IMG_20230320_172955

However, I found no official sources on go 1.18 deprecation... (Like, from Google)

I know about this site. But just to put it into context, just because I state a perceived "ideal" as issued by us as developers. Do you really think businesses and investors care about that? In that light, do you think Google prioritizes ideals over money?

Kubectl follows the same general engineering principle with only having two-version compatibility between kubectl and the version of k8s your running in a target cluster. This does not mean that older versions are automatically deprecated and AWS have to update all their managed EKS instances every 6 months. Simply that they are no longer accepting RFCs.

So find me an official source from Google that states that everyone needs to migrate away from 1.18 under fear of death, then we can talk about re-prioritizing it.

@fragwuerdig
Copy link
Collaborator

fragwuerdig commented Mar 20, 2023

@ZaradarBH https://endoflife.date/go
IMG_20230320_172955
However, I found no official sources on go 1.18 deprecation... (Like, from Google)

I know about this site. But just to put it into context, just because I state a perceived "ideal" as issued by us as developers. Do you really think businesses and investors care about that? In that light, do you think Google prioritizes ideals over money?

Kubectl follows the same general engineering principle with only having two-version compatibility between kubectl and the version of k8s your running in a target cluster. This does not mean that older versions are automatically deprecated and AWS have to update all their managed EKS instances every 6 months. Simply that they are no longer accepting RFCs.

So find me an official source from Google that states that everyone needs to migrate away from 1.18 under fear of death, then we can talk about re-prioritizing it.

I fully support you with this. Chain stability goes first. go 1.19 has proven to be instable with this chain. I just want to throw it into this context without offending you. Because it's important to bear in mind and we should move to the next go version. However, if you ask me, it won't happen with this PR. And most certainly not in 2.0.0

@faddat
Copy link
Contributor Author

faddat commented Mar 21, 2023

@ZaradarBH sir, it really doesn't seem like I'm offended -- and I'm not.

Then again, you need to live with this:

"Jacob why'd you make these PR's then?"

The culture we're building at Notional doesn't permit validating a chain and letting it slide.

The chain was unstable not because of go 1.19, but because it mixed go 1.18 and 1.19 and likely 1.20 as well.

@ZaradarBH
Copy link
Contributor

@ZaradarBH sir, it really doesn't seem like I'm offended -- and I'm not.

Then again, you need to live with this:

"Jacob why'd you make these PR's then?"

The culture we're building at Notional doesn't permit validating a chain and letting it slide.

The chain was unstable not because of go 1.19, but because it mixed go 1.18 and 1.19 and likely 1.20 as well.

Jacob your list of supposed "falsehood" is pointless and largely self-denial on your part. If you want to extend this into the legal realm I am more then willing and able to take this all the way. However I would advice against it because quiet frankly the internet is rife with examples of your "instability", so focus on what matters or end up getting ignored.

@nghuyenthevinh2000
Copy link
Contributor

closing in favor of #270

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discuss Still being debated out of scope work that is unapproved by the community, but still essential for the L1 team
Projects
Status: 📋 Backlog
Development

Successfully merging this pull request may close these issues.

5 participants