cmd/go/internal/modfetch: treat malformed versions as “not found” on the proxy path

[zx2c4]

For Go 1.11 and 1.12, I have in my go.mod something like:

replace (
        github.com/lxn/walk => golang.zx2c4.com/wireguard/windows pkg/walk
        github.com/lxn/win => golang.zx2c4.com/wireguard/windows pkg/walk-win
)

I use this to indicate that usage of github.com/lxn/walk should be replaced with the latest contents of a branch called pkg/walk from golang.zx2c4.com/wireguard/windows.

With 1.13beta1, this now breaks with a message:

/home/zx2c4/Projects/wireguard-windows/go.mod:16: replace golang.zx2c4.com/wireguard/windows: version "pkg/walk" invalid: version "pkg/walk" invalid: disallowed version string
/home/zx2c4/Projects/wireguard-windows/go.mod:17: replace golang.zx2c4.com/wireguard/windows: version "pkg/walk-win" invalid: version "pkg/walk-win" invalid: disallowed version string

This poses a significant problem.

[cespare]

/cc @bcmills

[zx2c4]

Should this have the release-blocker tag? It's certainly a regression from 1.11 and 1.12.

[hyangah]

@bcmills @jayconrod I think this is a side-effect of changing GOPROXY.

$ GOOS=windows GOPROXY=direct GONOSUM=.* go1.13beta get golang.zx2c4.com/wireguard/windows@pkg/walk
go: finding golang.zx2c4.com/wireguard/windows pkg/walk

The problem can be reproducible with go1.12 if GOPROXY is set.

GOOS=windows GOPROXY=https://proxy.golang.org GONOSUM=.* go get golang.zx2c4.com/wireguard/windows@pkg/walk
go: finding golang.zx2c4.com/wireguard/windows pkg/walk
go: finding golang.zx2c4.com/wireguard pkg/walk
go: finding golang.zx2c4.com pkg/walk
go get golang.zx2c4.com/wireguard/windows@pkg/walk: disallowed version string "pkg/walk"

[hyangah]

Such version strings are not accepted by golang.org/x/mod/module package that is used by both go command and proxy.golang.org as well. The module proxy protocol doc (go help goproxy) does not specify an acceptable set of version strings.

[bcmills]

@zx2c4, can you confirm that setting GOPROXY=direct continues to allow the branch-names in question? (That probably determines whether this gets the release-blocker label.)

[jayconrod]

This might be a limitation in the proxy, rather than the Go command.

With go1.13beta1, the command below succeeds:

$ GOPROXY=direct go mod download -json golang.zx2c4.com/wireguard/windows@pkg/walk

However, it fails with GOPROXY=https://proxy.golang.org/. Specifically, this query fails:

$ curl https://proxy.golang.org/golang.zx2c4.com/wireguard/windows/@v/pkg/walk.info
bad request: invalid escaped version "pkg/walk": invalid char '/'

When the proxy is enabled, this is the first request the Go command will send in order to find out the canonical version for pkg/walk.

[cuonglm]

@zx2c4, can you confirm that setting GOPROXY=direct continues to allow the branch-names in question? (That probably determines whether this gets the release-blocker label.)

Set GOPROXY=direct works for me:

cuonglm :: /tmp/test » GOPROXY=direct go mod tidy
golang.zx2c4.com/wireguard/windows pkg/walk
go: finding golang.zx2c4.com/wireguard/windows pkg/walk
golang.zx2c4.com/wireguard/windows pkg/walk-win
go: finding golang.zx2c4.com/wireguard/windows pkg/walk-win

[bcmills]

@hyangah

Such version strings are not accepted by golang.org/x/mod/module package

The general solution here may be for the proxy to treat any (non-pseudo-) version that fails module.Check as a potential branch name.

[hyangah]

@bcmills @jayconrod

Note that the same code is being used in the go command.
The golang.org/x/mod/module package is a copy of src/cmd/go/internal/module package. The error message users observed is probably before hitting the network. (src/cmd/go/internal/modfetch/proxy.go)

@rsc

[heschi]

It wasn't clear to me, so for the record: the problem is that the module.Escape/UnescapeVersion functions, which are only used on the proxy code paths in the go command, don't allow slashes. So, yes, proxy.golang.org doesn't support them, but more importantly, the go command never even gets that far because it can't encode the request properly.

[zx2c4]

@zx2c4, can you confirm that setting GOPROXY=direct continues to allow the branch-names in question?

Confirmed.

[utrack]

This bug also affects module imports from a subdirectory of another module.

Here's an example tree for a repo:

github.com/foo/bar
├── pkg
│       └── baz
│           └── go.mod
└── go.mod

If I were to import package github.com/foo/bar/pkg/baz then go would try to fetch tag pkg/baz/v1.0.0 automatically (that would fail).

What're the next steps for that one - do we want to fix go or proxy (athens)?

[bcmills]

@utrack, the versions in the proxy protocol are not the same as the tags in the underlying repo. The tag for the module in the pkg/baz subdirectory is indeed pkg/baz/v1.0.0, but once the module is extracted into the module cache that version is encoded as simply v1.0.0 (because the pkg/baz portion is already encoded in the module cache).

[hyangah]

@utrack try the -x flag to see how the go command works with the proxy. That will show the behavior @bcmills described above. go get github.com/foo/bar/pkg/[email protected] or go get github.com/foo/bar/pkg/baz will work as expected.

go get github.com/foo/bar/pkg/baz@pkg/baz/v1.0.0 won't due to this issue but not sure how often ppl want to fetch a module/package in that way.

[4F2E4A2E]

Using the hash of the branch git rev-parse did it for me, see the comment: #34175 (comment)

[mvdan]

Are slashes in git branch names very common?

As much as I don't personally use them, I'm afraid they are common. Where I work, pretty much everyone works in branches like feat/some-feature or fix/some-bug. For example: https://github.com/ipfs/go-ipfs/branches

[mvdan]

To add to my last comment, the convention is even documented here: https://github.com/ipfs/community/blob/master/CONTRIBUTING_GO.md#branch-names

If you are working on a new feature, prefix your branch name with feat/. If you are fixing an issue, fix/. If you are simply adding tests, test/. If you are adding documentation, doc/. If your changeset doesn't fall into one of these categories, use your best judgement and come up with your own short prefix.

[stevekuznetsov]

Any chance that this gets fixed at any point? Slashes in branch names are very common and it's frustrating to have to work around this limitation all the time.

[elgs]

I am building a main app that will optionally support one or more database drivers. I wonder if I could branch each type of database driver separately and allow users to go get/install from respective branches if they only need one database type.

package main

import (
        // ...

	_ "github.com/go-sql-driver/mysql"
	_ "github.com/jackc/pgx/v5/stdlib"
	_ "github.com/mattn/go-sqlite3"
	_ "github.com/microsoft/go-mssqldb"
	_ "github.com/sijms/go-ora/v2"
	_ "modernc.org/sqlite"
)

[elgs]

It seems it works as of go 1.20.1.
I created several branches, all, mysql, sqlite3, and etc., loading only corresponding drivers. And I was able to install the different branches by:

$ go install github.com/elgs/gosqlapi@mysql
$ go install github.com/elgs/gosqlapi@sqlite3
$ go install github.com/elgs/gosqlapi@all

I am quite satisfied as it is. But I am not sure if I overlooked anything.

[stevekuznetsov]

@elgs this issue is about interacting with branches that have a forward slash (/) in them - e.g. branch/name.

[akhilerm]

Setting GOPROXY='https://proxy.golang.org|direct' can also be used as a workaround instead of the default GOPROXY=https://proxy.golang.org,direct. This means for any error from the first URL, fall back to direct as per go1.15 release notes

[kaovilai]

replace github.com/kopia/kopia => github.com/project-velero/kopia v0.17.0-velero-patch

This with or without direct goproxy also result in

GOPROXY=direct go mod tidy 
go: downloading github.com/project-velero/kopia v0.17.0-velero-patch
go: github.com/openshift/oadp-operator imports
        k8s.io/apimachinery/pkg/apis/meta/v1/unstructured tested by
        k8s.io/apimachinery/pkg/apis/meta/v1/unstructured.test imports
        github.com/stretchr/testify/assert: github.com/kopia/[email protected] (replaced by github.com/project-velero/[email protected]): verifying go.mod: github.com/project-velero/[email protected]/go.mod: reading https://sum.golang.org/lookup/github.com/project-velero/[email protected]: 404 Not Found