[release/2.7] update to go1.16

[thaJeztah]

relates to #3466, as the updated github.com/golang-jwt/jwt v3.2.2 requires to 1.15 or 1.16

[wy65701436]

lgtm

[wy65701436]

we should also update https://github.com/distribution/distribution/blob/main/go.mod#L3 and https://github.com/distribution/distribution/blob/main/Dockerfile#L1

For the docker file, it probably needs to add ENV GO111MODULE auto

[wy65701436]

see the comments

[thaJeztah]

we should also update https://github.com/distribution/distribution/blob/main/go.mod#L3 and https://github.com/distribution/distribution/blob/main/Dockerfile#L1

This is the release/2.7 branch, so the go.mod doesn't apply. We also should not update the version in go.mod unless the code does not work with older go versions (it specifies the minimum required version to use, although currently only will print a warning).

For the docker file, it probably needs to add ENV GO111MODULE auto

Ah, yes, that's a good catch; adding that.

[thaJeztah]

Updated, PTAL

[thaJeztah]

opened #3474 for the main branch

[wy65701436]

lgtm

[wy65701436]

oh, yes, it's for v2.7

cc @milosgajdos do we want to upgrade the golang major version in a patch release? I know it's caused by the jwt security issue.

[milosgajdos]

cc @milosgajdos do we want to upgrade the golang major version in a patch release? I know it's caused by the jwt security issue.

Not to sound SemVer pedantic, but we're talking about minor version upgrade here

Even though 2.7 is quite behind the main and thus we might [reasonably] expect different performance, just for the sake of security we should go ahead with the upgrade 🤔

[thaJeztah]

Yeah, older version of Go (<1.15) are no longer maintained, and may have unpatched security fixes that could affect this project. The Go language itself has a stability promise (v1.xx are promised to be backward compatible), but of course stdlib packages may have new additions (which in this case was needed for the jwt package)