Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go.mod: Go 1.16 #22462

Closed
wants to merge 2 commits into from
Closed

go.mod: Go 1.16 #22462

wants to merge 2 commits into from

Conversation

meowsbits
Copy link
Contributor

Bump module Go version from 1.13 (released 2019/09/03) to 1.16 (released 2021/02/16).

https://golang.org/doc/devel/release.html

CI builder versions were bumped to 1.16 with c5023e1.

@meowsbits
go.mod: bump Go version to 1.16
6e2237a 
Date: 2021-03-08 08:48:29-06:00
Signed-off-by: meows <b5c6@protonmail.com>
@meowsbits
go.sum: run 'go mod tidy'
ef8588b 
Date: 2021-03-08 08:49:18-06:00
Signed-off-by: meows <b5c6@protonmail.com>
@meowsbits
Copy link
Contributor Author

meowsbits commented Mar 9, 2021
edited
Loading

I have been doing a little research (timely, I know) on how exactly the Go version number is supposed to be used.

In short,

The language version determines which language features are available when compiling packages in the module.

(a caveat):

  • go 1.15.5 won't work; invalid go version '1.15.5': must match format 1.23

"It implies to me the minimum version of Go for the project". Following this logic, then it seems like go1.13 is acceptable, since that version introduced Error wrapping which is used here, and that's the latest "feature" I'm aware of that's differentiable at this repo.

Now, I'm not sure if the Go vulnerability fixed with 1.15.5 counts as a "language feature" (probably not?), but the relevance of that patch here may be a good reason to "strongly suggest" the latest go-mod-allowed version subsequent to it, namely go 1.16. In this case the minimum version of Go is defined by application safety (related to a language bug), rather than language feature utilization.

## Vulnerable to GETH-2020-02 (GoCrash)

Severity: Critical
Summary : A denial-of-service issue can be used to crash Geth nodes during block processing, due to an underlying bug in Go (CVE-2020-28362) versions < `1.15.5`, or `<1.14.12`
Fixed in: v1.9.24
References:
	- https://blog.ethereum.org/2020/11/12/geth_security_release/
	- https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
	- https://github.com/golang/go/issues/42552

Note that setting go1.16 won't necessarily prevent users from building with lower Go versions (until, and if, language features prohibiting it were used in the application, eg. go embed).

holiman
holiman approved these changes Mar 15, 2021
View reviewed changes
Copy link
Contributor

@holiman holiman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me ... @fjl?

@fjl
Copy link
Contributor

fjl commented Mar 15, 2021

I'm not sure about this.

@karalabe
Copy link
Member

We really don't see any reason to start playing with whatever language syntax enforcement this field provides. If you can build it with old versions, great. If we'll use something newer and old builds fail, you're gonna see it.

@karalabe karalabe closed this Mar 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holiman holiman holiman approved these changes

Assignees
No one assigned
Labels
status:triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@meowsbits @fjl @karalabe @holiman @MariusVanDerWijden