Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential collision and risk from indirect dependence "github.com/etcd-io/bbolt" #1220

Open
KateGo520 opened this issue Aug 12, 2020 · 4 comments
Open

Potential collision and risk from indirect dependence "github.com/etcd-io/bbolt" #1220

KateGo520 opened this issue Aug 12, 2020 · 4 comments

Comments

@KateGo520
Copy link

Dependency line:

github.com/iov-one/weave --> github.com/tendermint/tendermint v0.31.12 --> github.com/etcd-io/bbolt

Background

The etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt".
As etcd-io/bbolt README.md said, downstream repos should use "go.etcd.io/bbolt" to get or import etcd-io/bbolt.

To start using Bolt, install Go and run go get:
>$ go get go.etcd.io/bbolt/...
This will retrieve the library and install the bolt command line utility into your $GOBIN path.

Importing bbolt
To use bbolt as an embedded key-value store, import as:
>import bolt "go.etcd.io/bbolt"
…

But tendermint/tendermint v0.31.12 still used the old path:
https://github.com/tendermint/tendermint/blob/v0.31.12/libs/db/boltdb.go#L12

package db
import (
	"bytes"
	"errors"
	"fmt"
	"os"
	"path/filepath"
	"github.com/etcd-io/bbolt"
)

I find that go.etcd.io/bbolt and github.com/etcd-io/bbolt coexist in this repo:
https://github.com/iov-one/weave/blob/master/go.mod(Line 7 & 28)

github.com/etcd-io/bbolt v1.3.3 // indirect
go.etcd.io/bbolt v1.3.3 // indirect

That’s because the etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt" in the version v1.3.3 . When go use the old path "github.com/etcd-io/bbolt" to import the etcd-io/bbolt, will reintroduces etcd-io/bbolt through the import statements "import go.etcd.io/bbolt" in the go source file of etcd-io/bbolt.

https://github.com/etcd-io/bbolt/blob/v1.3.3/cursor_test.go#L14

package bbolt_test
import (
	bolt "go.etcd.io/bbolt"
	…
)

The "go.etcd.io/bbolt" and "github.com/etcd-io/bbolt" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

  1. Add replace statement in the go.mod file:
replace github.com/etcd-io/bbolt => go.etcd.io/bbolt v1.3.3

Then clean the dependencies.
2. Update the direct dependency github.com/tendermint/tendermint. The latest version of github.com/tendermint/tendermint is v0.33.8. This problem does not exist in the new version.
@KateGo520
Copy link
Author

@husio @orkunkl Could you help me review this issue? Thx :p

@husio
Copy link
Contributor

husio commented Aug 12, 2020

@KateGo520 I no longer participate in the project. I believe weave is no longer developed.

If weave is no longer maintained, it is worth updating the README with information about on top of the file and maybe even archiving the repository. @davepuchyr should know what is the current state.

@davepuchyr
Copy link
Contributor

@KateGo520, thank-you for the detailed explanation and proposed solutions. @husio 's belief is correct, weave is no longer under development. I will clean-up many of IOV's repos after the hard-fork from weave to our mainnet based on cosmos-sdk.

@KateGo520
Copy link
Author

@davepuchyr @husio Thank you for your reply.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@husio @davepuchyr @KateGo520