Conversation
Dependencies.md
Outdated
| ## Go versions | ||
|
|
||
| We aim to support a building of the k6 binary with the two latest versions of golang, which reflects the support [policy](https://go.dev/doc/devel/release#policy) of the Go team. | ||
| We aim to support building of the k6 binary with the two latest versions of golang as long as the latest version has at least `.1` path release. The support [policy](https://go.dev/doc/devel/release#policy) of the Go team details that they support the two latest versions. |
There was a problem hiding this comment.
I don't understand exactly why we need to wait for the.1 release? Have we had a bad experience in the past? Is it only to ensure that we work with a release which is most likely to work?
I'd like to add the reason for this decision so that it's clearer for future readers.
There was a problem hiding this comment.
Because it reduces the risk to bring into our systems a zero-day exploit, and on the other side we don't get any benefit from rushing on updating it.
Go is very regular with updates, and there is always a first patch after a few weeks from the major release. This is my reasoning about it.
There was a problem hiding this comment.
Right, i see, but a zero day vulnerability can also live in an old version of an unsupported Go version such as 1.24, and there's a chance that the Go maintainers will not fix it... not sure what's best, but happy to go with what has worked so far 🙂
There was a problem hiding this comment.
I would argue there are multiple reasons. Some of which are more "why we do not release k6 binaries with 1.26 the day it comes out". And some of them are more "why we do not have 1 version of go we support" - so currently we will just support 1.25 and then we move to 1.26 and never have 2 versions.
In general they come down to - usually it is not worth it for us to jump as fast as it is released, and we have to do work to get there, so we might as well not just do it.
I would argue golang should be support 1.24 for a month or so after 1.26 is released, and if this was paid support they certainly would, but they are not 🤷 .
Some reasons (in no particular order):
- We do not care about features in new golang versions 99% of the time. As in practice we will now start using stuff from 1.25 - the stuff in 1.25 are interesting. 1.26 has new GC - maybe that will be nice, maybe not. But we do not have this case of "oh a new API we need it now"
- New versions (among potential security versions) usually have some very bad bugs that are really hard to catch especially on "not x86" machines - see the list in the milestone and see how many are arm or even just windows specific bugs. I do not really want to try to debug a regression from them.
- golangci-lint needs and upgrade on each major go update. They are now more on top of it then before - they release the same day. But we usually need to update a bunch of stuff along this otherwise our CI is broken.
- The version propagation through all the caches has also been a case where if we updated too fast, somebody somewhere hasn't built (yet) the docker image for 1.26 with the specific things we care about. Or it turns out one CI runner has it, the other still thinks it is not out. This arguably is GHA issues, but we are the ones that have failing CI.
- We usually want to test this more in GCk6 prod - which means that moving to this new go versions needs to happen in the correct part of the release cycle. Which given that 1.26.1 is planned for
tomorrowalready released, likely will be the next week or so. - We do not really release with the old version - we just have our CI. Theoretically we can drop the older version from CI and not know if we break something. Or we can just drop it after 1.26 was released so that we move to 1.25 only for a time. This seems like a lot of work. Instead, we just wait for 1.26.1 and slow down some updates.
See #5702 for an already opened PR that bumps the go to see some of those in action.
The list of changes in 1.26.1 are for example a bunch of CVEs in 1.26 only, and some in 1.25.
p.s. I started writing this before .1.26.1 was released 😅 but apparently didn't click reply.
There was a problem hiding this comment.
These are good arguments for keeping the process as is. Thanks for the background. I'll try to add these in so that future readers know why we do what we do.
ankur22
force-pushed
the
update/dependency-go-version
branch
from
54ecfa0 to
5b3d563
Compare
ankur22
force-pushed
the
update/dependency-go-version
branch
from
5b3d563 to
85000c5
Compare
ankur22
requested review from
codebien and
oleiade
and removed request for
a team
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
codebien
requested review from
inancgumus,
joanlopez and
mstoykov
and removed request for
codebien
ankur22
changed the title
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
Co-authored-by: Inanc Gumus <inanc.gumus@grafana.com>
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
Co-authored-by: Ivan <2103732+codebien@users.noreply.github.com>
Co-authored-by: Ivan <2103732+codebien@users.noreply.github.com>
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
ankur22
temporarily deployed
to
azure-trusted-signing
GitHub Actions
Inactive
4 participants
What?
Updates the dependency.md file with when we update Go version in the go.mod file.
Why?
To avoid confusion and make it clear with an example.
Checklist
make check) and all pass.Checklist: Documentation (only for k6 maintainers and if relevant)
Please do not merge this PR until the following items are filled out.
Related PR(s)/Issue(s)