x/build: update x/ dependencies in untagged x/ repos when applying tags

[bcmills]

Now that we are automatically tagging releases for many of the golang.org/x/... repos (#48523), we are incidentally updating the other x-repo dependencies in their go.mod files. However, some of our x repos that are not currently tagged (notably x/debug) also depend on the tagged x repos, and those currently require manual updates (as in https://go.dev/cl/446515).

When we add a new tag for an x repo, it would be nice to also update the untagged x repos that depend on it to prevent our internal dependencies from getting too stale.

(As @dmitshur pointed out to me, x dependencies are safe to upgrade because they have necessarily gone through Go's code review process, whereas upgrading non-x dependencies may require auditing upstream changes.)

[FiloSottile]

I found this issue because I wanted to ask why are we blindly updating x/ module inter-dependencies. I'm not sure consumers (us included) should be forced to update every (or, rather, an arbitrary subset) x/ repo every time they update one, if there is no actually related change.

For example, v0.3.0 of x/crypto depends on v0.2.0 of x/net because of the automatic upgrades, but the standard library is on v0.1.0. CL 353849 needs to bring in a recent x/crypto change. Without that upgrade, I could have just pulled x/crypto up in CL 353849. Instead, I now have to make a separate CL that also imports unrelated http2 changes in x/net.

[dmitshur]

@FiloSottile This question is a better fit for issue #36905, if I understand it correctly. With the 1.20 freeze coming up next week, we will be updating the std and cmd modules to vendor the latest tip versions of all golang.org/x modules, which will include x/net's v0.2.0 and 4 commits since.

[FiloSottile]

@dmitshur I don't think it's related to #36905: first, the stdlib case is just an example of why a consumer might not want to pull in unrelated updates when updating a x/ repo. Non-stdlib modules might also want to selectively update. Second, if the std bump comes at the start of the freeze, it won't help me with CL 353849 unless we make a freeze exception, because CL 353849 depends on the x/crypto bump.

This issue is about automatically updating x/ dependencies in untagged x/ repos. What I'm saying is that I don't understand why we are automatically updating x/ dependencies in any x/ repos at all.

[bcmills]

In general it isn't feasible to test every x repo commit against every commit to each of its dependencies, so there will always be some amount of “untested skew” between the repos: that is, an accidental breaking change (or accidental dependency on an implementation detail) may break a package or test in another repo without causing the build for that repo to immediately fail.

Keeping the dependencies within our repos reasonably up-to-date limits that skew to a smaller interval of time and a smaller of interval of changes, making it more likely that the incompatibility will be noticed (and fixed) quickly and also reducing the number of commits that may need to be bisected in order to diagnose a regression.

(Note that we can update the x repos automatically because they all have the same code-review requirements. We cannot apply the same policy to automatically update third-party dependencies, because we may need to audit the changes in those dependencies before we can safely use them.)

[bcmills]

As a data point, #57147 reported x/vuln tests that have been failing since early November on the android builders. The test failures appear to be fixed by upgrading the x/tools dependency in that module to the latest tagged release (done in CL 456122).

It would be nice if those kinds of fixes could happen automatically.

[bcmills]

Another data point (#57217): x/website is currently broken on freebsd/riscv64 due to a very out-of-date x/sys.

[bcmills]

...and, here is exactly the case in point.

• x/website still tests against Go 1.16 because AppEngine (x/website/cmd/golangorg: update to newer App Engine runtime when available #51800).
• x/sys no longer supports Go 1.16 (as of https://go.dev/cl/428515) because it follows the Go project's general support policy.
• x/sys/unix at an older version does not build on freebsd/riscv64 (x/website: build broken on freebsd-riscv64-unmatched due to outdated x/sys dependency #57217), so staying on the older version breaks x/website on that platform.

If we were updating the x/website dependencies promptly upon tagging x/sys releases, this problem would have been discovered earlier.

[bcmills]

Another data point: CL 480936 updated the x/build dependency on x/net to get past vulnerability GO-2023-1571 (#57855), which would have been fixed automatically if the dependency had been upgraded when x/net was tagged.

[gopherbot]

Change https://go.dev/cl/487615 mentions this issue: internal/task: update golang.org/x dependencies in untagged repos

[dmitshur]

One more data point: x/pkgsite is untagged so its x/mod dependency wasn't automatically updated. If this issue were resolved, #62031 might've been resolved sooner or avoided.

[gopherbot]

Change https://go.dev/cl/523155 mentions this issue: internal/tag: improve how fakes report non-existing file and no tags

[gopherbot]

Change https://go.dev/cl/525655 mentions this issue: internal/task: opt x/vuln in for updates only

[gopherbot]

Change https://go.dev/cl/525657 mentions this issue: internal/task: tidy x/exp and x/telemetry nested modules too