New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: update code.gitea.io/sdk/gitea #1220
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1220 +/- ##
=======================================
Coverage 83.65% 83.65%
=======================================
Files 58 58
Lines 3285 3285
=======================================
Hits 2748 2748
Misses 456 456
Partials 81 81 Continue to review full report at Codecov.
|
missing a go mod tidy maybe? 🤔 |
Thanks for the PR btw! 🚀 |
Any specific reason for removing GoCenter from the proxy list? It would be valuable feedback for us. Tks! |
I removed GoCenter due to #1217 (comment) Since GoCenter can give a positive answer to an "invalid" pseudo version, it does not provide enough guarantees for a CI. From my point of view, a CI must guarantee a strict check for the dependencies. From my point of view, as https://proxy.golang.org is the default in Go, the other Go proxies must find a way to guarantee the same behavior to allow all the users, whatever the proxy used, to obtain a reproducible environment, it's something really important for an open source project. For now, the PR #1217 prove that GoCenter don't provide those guarantees, but I hope that it will evolve or that I missed something. PS: I'm not a part of the goreleaser team, it's just my point of view. |
@elioengcomp basically what @ldez said. It needs to be consistent, otherwise we can get hard-to-debug issues like the ones refs by the OP on the PR description. |
I disagree when you say that it does not provide enough guarantees for a CI and I actually think it is the other way around. A central repository like GoCenter has two basic premises that need to be followed in order for users and CI jobs to achieve reproducible builds:
Those two premisses need to be followed regardless the environment in which the central repository is being used, since the conditions in which builds happened are unknown and, if the same conditions happen again, the build needs to produce the same results. That is what reproducible builds mean. Also keep in mind that if a module is available in GoCenter that means it was requested and fetched by a user that is depending on that to run a build. According to the behavior observed with Google's proxy, If the user was fetching the content from GitHub or GoCenter and decide to switch to that, the build will break. So it seems to me that, by keeping serving that content regardless of the Go command version being used, GoCenter is following the two basic premisses of a central repository and promoting reproducible builds. |
@caarlos0 I agree that it needs to be consistent, but it needs to be consistent with the past. If we change the central repository behavior over time, old builds will never be able to be reproduced. And like we say in Brazil, reproducible builds are like pregnancy, there is no partially reproducible builds like there is no partially pregnant woman. :) (bad joke, I know) |
I get it. I think it should also be consistent with the default proxy, otherwise a build may pass with gocenter and fails with the default proxy, which may cause confusion... |
I agree. That is the goal of the interoperability between proxies provided by the Go modules download protocol and is probably true for the huge majority of the cases. However, we are not willing to chase that when Google's proxy opinion goes against the two premises and breaks the previous behavior observed by users. Remember that, even though it is the default one, Google's proxy was created after users were already fetching their dependencies from source and even after GoCenter. |
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Allow to build with go1.13.
Fixes invalid pseudo version for
github.com/go-macaron/cors
Update
code.gitea.io/sdk/gitea
Related #1132 #1138 #1217