Linting and Code Scanning #178
Conversation
…fewer places to hide
… can confidently debug
…efore can confidently debug
…o for no reason, remanining
faddat
changed the title
there is only one failing and it is docker hub authorization. Also on: ff2e40b
The reason for liveness test existence: For a distributed system, the FLP theorem dictates properties of a consensus network
liveness test is an overall attack on FLP theorem by randomly shut down nodes. More information here: https://disco.ethz.ch/courses/hs21/distsys/lnotes/chapter16.pdf |
|
https://github.com/rokroskar/workflow-run-cleanup-action seems to be deprecated, precise change to this is needed |
|
The maintainers are allowed to push to this branch, you know. I do think it is a very significant improvement in many areas. Please feel welcome to fix the liveness test, I've brought it back. |
|
Should really not have big red X on main. I'm going to kinda just step back. ikyk I know what the liveness test is. Do refactor go.mod, I've never seen anything like its current state anywhere before. |
|
@nghuyenthevinh2000 you mean, it's been deprecated for months and months and months, and no one checked? yeah welcome to my world. good job checking. Those files were last edited 19 months ago. |
|
Tobias choice for golang 1.18 over newer go version seems due to practice in banking: "If it ain’t broke, don’t fix it" The COBOL language has been powering the banking system for too long time but it is stable. If we apply this context to Terra - Classic, a system meant to be durable like banking, current go 1.18 is functioning and best not to touch it. Moving version upward introduces potential break. Of course, not moving go version upward is not a good choice also. It is best to leave the choice of go version in upgrade tesnet phase. The current phase is development. |
|
done with this for now, you have access to push to this branch, so, feel free to smooth whatever you'd like. |
thanks, I will have a look |
|
Final thought -- l1tf -- supposed to maintain the chain. The idea that this is out of scope, seems rather.... bad. Either redefine the scope or announce you're not really maintaining the chain (obvs I recommend that you actually do maintainership work) |
|
@nghuyenthevinh2000 sir, when google deprecates a language runtime really, really early, they have reasons for doing it. I make changes like those, following google's advice, because:
I understand that Tobias thinks he knows better, but for real: Check the CVE's 🖖 (no seriously man check them) good place to begin the research journey: Golang is not cobol. It is a garbage collected, type safe system with a full network stack in the standard library <- bolded for emphasis If the authors of COBOL said "don't use this version of cobol, we don't recommend it, it might shoot your dog, here are two supported versions of COBOL" ... would it make even an iota of sense to use the version of cobol where the actual authors are telling you that it could shoot your dog? Additionally, the version of the language runtime is most certainly NOT the only thing I changed in #179. I will reopen it. You should review it. While reviewing look at the present state of go.mod, and look at the replaces. Then look for deprecations among them. Same situation. Deprecated code, is the authors telling you "don't use this, it could shoot your dog". Currently the replace section of go.mod is chock full of deprecated software. @nghuyenthevinh2000 I tried to reopen my go.mod PR just now but there are a bunch of conflicts. Please feel free to use this: go 1.20
module github.com/classic-terra/core
require (
github.com/CosmWasm/wasmvm v0.16.7
github.com/cosmos/cosmos-sdk v0.45.13
github.com/cosmos/gogoproto v1.4.6
github.com/cosmos/ibc-go v1.3.1
github.com/gogo/protobuf v1.3.3
github.com/golang/protobuf v1.5.2
github.com/google/gofuzz v1.2.0
github.com/gorilla/mux v1.8.0
github.com/grpc-ecosystem/grpc-gateway v1.16.0
github.com/pkg/errors v0.9.1
github.com/rakyll/statik v0.1.7
github.com/spf13/cast v1.5.0
github.com/spf13/cobra v1.6.1
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.1
github.com/tendermint/tendermint v0.34.24
github.com/tendermint/tm-db v0.6.7
google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f
google.golang.org/grpc v1.53.0
gopkg.in/yaml.v2 v2.4.0
)
require (
filippo.io/edwards25519 v1.0.0-beta.2 // indirect
github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
github.com/99designs/keyring v1.1.6 // indirect
github.com/ChainSafe/go-schnorrkel v0.0.0-20200405005733-88cbf1b4c40d // indirect
github.com/Workiva/go-datastructures v1.0.53 // indirect
github.com/armon/go-metrics v0.4.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/speakeasy v0.1.1-0.20220910012023-760eaf8b6816 // indirect
github.com/btcsuite/btcd v0.22.2 // indirect
github.com/cespare/xxhash v1.1.0 // indirect
github.com/cespare/xxhash/v2 v2.1.2 // indirect
github.com/coinbase/rosetta-sdk-go v0.7.0 // indirect
github.com/confio/ics23/go v0.9.0 // indirect
github.com/cosmos/btcutil v1.0.4 // indirect
github.com/cosmos/go-bip39 v1.0.0 // indirect
github.com/cosmos/gorocksdb v1.2.0 // indirect
github.com/cosmos/iavl v0.19.5 // indirect
github.com/cosmos/ledger-cosmos-go v0.12.2 // indirect
github.com/cosmos/ledger-go v0.9.2 // indirect
github.com/creachadair/taskgroup v0.3.2 // indirect
github.com/danieljoos/wincred v1.1.2 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
github.com/dgraph-io/ristretto v0.0.3 // indirect
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
github.com/dustin/go-humanize v1.0.0 // indirect
github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
github.com/felixge/httpsnoop v1.0.2 // indirect
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/go-kit/kit v0.12.0 // indirect
github.com/go-kit/log v0.2.1 // indirect
github.com/go-logfmt/logfmt v0.5.1 // indirect
github.com/gobwas/ws v1.1.0 // indirect
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
github.com/gogo/gateway v1.1.0 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/btree v1.0.1 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/orderedcode v0.0.1 // indirect
github.com/gorilla/handlers v1.5.1 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
github.com/gtank/merlin v0.1.1 // indirect
github.com/gtank/ristretto255 v0.1.2 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/golang-lru v0.5.5-0.20210104140557-80c98217689d // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hdevalence/ed25519consensus v0.0.0-20210204194344-59a8610d2b87 // indirect
github.com/improbable-eng/grpc-web v0.14.1 // indirect
github.com/inconshreveable/mousetrap v1.0.1 // indirect
github.com/jmhodges/levigo v1.0.0 // indirect
github.com/klauspost/compress v1.15.13 // indirect
github.com/lib/pq v1.10.6 // indirect
github.com/libp2p/go-buffer-pool v0.1.0 // indirect
github.com/magiconair/properties v1.8.6 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.16 // indirect
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
github.com/mimoo/StrobeGo v0.0.0-20210601165009-122bf33a46e0 // indirect
github.com/minio/highwayhash v1.0.2 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mtibben/percent v0.2.1 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.5 // indirect
github.com/petermattis/goid v0.0.0-20180202154549-b0b1615b78e5 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.14.0 // indirect
github.com/prometheus/client_model v0.3.0 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/regen-network/cosmos-proto v0.3.1 // indirect
github.com/rs/cors v1.8.2 // indirect
github.com/rs/zerolog v1.27.0 // indirect
github.com/sasha-s/go-deadlock v0.3.1 // indirect
github.com/spf13/afero v1.9.2 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/viper v1.14.0 // indirect
github.com/subosito/gotenv v1.4.1 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7 // indirect
github.com/tendermint/go-amino v0.16.0 // indirect
github.com/tidwall/btree v1.5.0 // indirect
github.com/zondax/hid v0.9.1 // indirect
go.etcd.io/bbolt v1.3.6 // indirect
golang.org/x/crypto v0.5.0 // indirect
golang.org/x/exp v0.0.0-20230131160201-f062dba9d201 // indirect
golang.org/x/net v0.7.0 // indirect
golang.org/x/sys v0.5.0 // indirect
golang.org/x/term v0.5.0 // indirect
golang.org/x/text v0.7.0 // indirect
google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
nhooyr.io/websocket v1.8.7 // indirect
)
// the sdk's mandatory replaces
replace (
// use cosmos fork of keyring
github.com/99designs/keyring => github.com/cosmos/keyring v1.2.0
// dgrijalva/jwt-go is deprecated and doesn't receive security updates.
// TODO: remove it: https://github.com/cosmos/cosmos-sdk/issues/13134
github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 v4.4.2
// Fix upstream GHSA-h395-qcrw-5vmq vulnerability.
// TODO Remove it: https://github.com/cosmos/cosmos-sdk/issues/10409
github.com/gin-gonic/gin => github.com/gin-gonic/gin v1.8.1
// Use regen gogoproto fork
// This for is replaced by cosmos/gogoproto in future versions
github.com/gogo/protobuf => github.com/regen-network/protobuf v1.3.3-alpha.regen.1
// use a secure protoreflect version
github.com/jhump/protoreflect => github.com/jhump/protoreflect v1.9.0
// use grpc compatible with regen gogoproto fork
google.golang.org/grpc => google.golang.org/grpc v1.33.2
)
// replaces that lunc needs
replace (
// use fork of cosmos-sdk with lunc's changes
github.com/cosmos/cosmos-sdk => github.com/classic-terra/cosmos-sdk v0.45.13-classic
// use a ledger library that uses coin-type 330
github.com/cosmos/ledger-cosmos-go => github.com/terra-money/ledger-terra-go v0.11.2 // TODO: bring this up to date with github.com/cosmos-ledger-cosmos-go
// use a version of tendermint that is patched for lunc
github.com/tendermint/tendermint => github.com/classic-terra/tendermint v0.34.24-terra.0 // TODO: minimum safe version of tendermint is v0.34.26, see release notes at https://github.com/informalsystems/tendermint
) |
|
|
#> @nghuyenthevinh2000 sir, when google deprecates a language runtime really, really early, they have reasons for doing it.
Afaik 1.18 is not deprecated. Google simply released newer versions with more features and they are naturally trying to nudge people to upgrade. This is however a never ending cycle of big vendors pushing innovations and enterprise wanting stability/predictability. Thus MS is now offering up .NET 7 which is actually a merge of .NET Classic and their new cross platform .NET framework that allows enterprise, which did not upgrade from .NET classic due to the above reasoning, to run their application code on a unified framework. In the same way Google will keep the lights on for Go 1.18 for as long as there is a market demand for it and my personal view is that given that 1.18 was released on March 15, 2022 @ https://go.dev/blog/go1.18 it is highly unlikely that the framework release version will not be supported for 3 - 5 years as is the standard in enterprise IT. |
| @@ -0,0 +1,35 @@ | |||
| version: 2 | |||
There was a problem hiding this comment.
See my other comment about dependabot
| @@ -0,0 +1,37 @@ | |||
| --- | |||
There was a problem hiding this comment.
We are in the process of building a new CI/CD pipeline. So most of the assets will most likely end up being deprecated
|
@ZaradarBH https://endoflife.date/go
However, I found no official sources on go 1.18 deprecation... (Like, from Google) Wikipedia says it's deprecated too. |
I know about this site. But just to put it into context, just because I state a perceived "ideal" as issued by us as developers. Do you really think businesses and investors care about that? In that light, do you think Google prioritizes ideals over money? Kubectl follows the same general engineering principle with only having two-version compatibility between kubectl and the version of k8s your running in a target cluster. This does not mean that older versions are automatically deprecated and AWS have to update all their managed EKS instances every 6 months. Simply that they are no longer accepting RFCs. So find me an official source from Google that states that everyone needs to migrate away from 1.18 under fear of death, then we can talk about re-prioritizing it. |
I fully support you with this. Chain stability goes first. go 1.19 has proven to be instable with this chain. I just want to throw it into this context without offending you. Because it's important to bear in mind and we should move to the next go version. However, if you ask me, it won't happen with this PR. And most certainly not in 2.0.0 |
|
@ZaradarBH sir, it really doesn't seem like I'm offended -- and I'm not. Then again, you need to live with this: "Jacob why'd you make these PR's then?" The culture we're building at Notional doesn't permit validating a chain and letting it slide. The chain was unstable not because of go 1.19, but because it mixed go 1.18 and 1.19 and likely 1.20 as well. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Jacob your list of supposed "falsehood" is pointless and largely self-denial on your part. If you want to extend this into the legal realm I am more then willing and able to take this all the way. However I would advice against it because quiet frankly the internet is rife with examples of your "instability", so focus on what matters or end up getting ignored. |
|
closing in favor of #270 |
note
This PR addresses a number of code quality issues.
Per @fragwuerdig request, it no longer contains other PRs and is a freestanding PR into the main branch that lints it.
changes
Static Analysis
Summary of changes
This PR lints the codebase so that issues can be discovered more easily. For
example, the testnet code in the cmd folder was using a deprecated call.
It also introduces a set of tooling that increases the rigor of automated testing.
Report of required housekeeping
(FOR ADMIN) Before merging