weave icon indicating copy to clipboard operation
weave copied to clipboard

Published 20 hours ago verified publisher icon iov-one

Potential collision and risk from indirect dependence "github.com/etcd-io/bbolt"

Open KateGo520 opened this issue 4 years ago • 4 comments

Dependency line:

github.com/iov-one/weave --> github.com/tendermint/tendermint v0.31.12 --> github.com/etcd-io/bbolt

Background

The etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt". As etcd-io/bbolt README.md said, downstream repos should use "go.etcd.io/bbolt" to get or import etcd-io/bbolt.

To start using Bolt, install Go and run go get:
>$ go get go.etcd.io/bbolt/...
This will retrieve the library and install the bolt command line utility into your $GOBIN path.

Importing bbolt
To use bbolt as an embedded key-value store, import as:
>import bolt "go.etcd.io/bbolt"
…

But tendermint/tendermint v0.31.12 still used the old path: https://github.com/tendermint/tendermint/blob/v0.31.12/libs/db/boltdb.go#L12

package db
import (
	"bytes"
	"errors"
	"fmt"
	"os"
	"path/filepath"
	"github.com/etcd-io/bbolt"
)

I find that go.etcd.io/bbolt and github.com/etcd-io/bbolt coexist in this repo: https://github.com/iov-one/weave/blob/master/go.mod(Line 7 & 28)

github.com/etcd-io/bbolt v1.3.3 // indirect
go.etcd.io/bbolt v1.3.3 // indirect

That’s because the etcd-io/bbolt has already renamed it’s import path from "github.com/etcd-io/bbolt" to "go.etcd.io/bbolt" in the version v1.3.3 . When go use the old path "github.com/etcd-io/bbolt" to import the etcd-io/bbolt, will reintroduces etcd-io/bbolt through the import statements "import go.etcd.io/bbolt" in the go source file of etcd-io/bbolt.

https://github.com/etcd-io/bbolt/blob/v1.3.3/cursor_test.go#L14

package bbolt_test
import (
	bolt "go.etcd.io/bbolt"
	…
)

The "go.etcd.io/bbolt" and "github.com/etcd-io/bbolt" are the same repos. This will work in isolation, bring about potential risks and problems.

Solution

  1. Add replace statement in the go.mod file:
replace github.com/etcd-io/bbolt => go.etcd.io/bbolt v1.3.3

Then clean the dependencies. 2. Update the direct dependency github.com/tendermint/tendermint. The latest version of github.com/tendermint/tendermint is v0.33.8. This problem does not exist in the new version.

KateGo520 avatar Aug 12 '20 01:08 KateGo520

@husio @orkunkl Could you help me review this issue? Thx :p

KateGo520 avatar Aug 12 '20 04:08 KateGo520

@KateGo520 I no longer participate in the project. I believe weave is no longer developed.

If weave is no longer maintained, it is worth updating the README with information about on top of the file and maybe even archiving the repository. @davepuchyr should know what is the current state.

husio avatar Aug 12 '20 06:08 husio

@KateGo520, thank-you for the detailed explanation and proposed solutions. @husio 's belief is correct, weave is no longer under development. I will clean-up many of IOV's repos after the hard-fork from weave to our mainnet based on cosmos-sdk.

davepuchyr avatar Aug 12 '20 17:08 davepuchyr

@davepuchyr @husio Thank you for your reply.

KateGo520 avatar Aug 13 '20 03:08 KateGo520