Stop supporting 3 releases of Go #7249
Comments
dfawley
changed the title
|
If we make this change, it should not affect our strategy of updating the |
|
With no comments in this issue in 1 week, we will go forward with this plan. |
|
isn't this out of compliance with GCP's Go version support policy? https://cloud.google.com/go/getting-started/supported-go-versions From my read that is 3 supported versions, no? |
|
I'm not sure how they intend to do this, as Go's version support policy is effectively trickle-down with the recent go.mod tooling changes -- if any dependency demands it, you must upgrade your minimum supported version. If a dependency only supports a newer version, and you don't want to upgrade, you can pin to an older release of theirs. But if they then have a CVE and address it in a newer version, then you are in a very tough position -- drop support for the older version or not address the CVE. cc @codyoss we should probably chat about this some time? |
Since grpc/grpc-go#7249, gRPC-Go only supports the last two versions of Golang. Similar to Golang policy itself
Since grpc/grpc-go#7249, gRPC-Go only supports the last two versions of Golang. Similar to Golang policy itself
Per https://go.dev/doc/modules/gomod-ref#go-notes:
Because of this, any time we update our dependencies, if any of them requires Go 1.21, we either have to not update those packages (which may represent a security risk), or we cannot support Go 1.20 any longer.
I believe we need to change our support policy to only cover the last two releases of Go, which is what the Go team maintains, itself:
https://go.dev/doc/devel/release#policy
The text was updated successfully, but these errors were encountered: