Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade zap to v1.21.0 #42

Merged
merged 1 commit into from
Feb 17, 2022
Merged

Upgrade zap to v1.21.0 #42

merged 1 commit into from
Feb 17, 2022

Conversation

alex1989hu
Copy link
Contributor

@alex1989hu alex1989hu commented Feb 13, 2022
edited
Loading

This upgrade also implies that we have to build
on Go 1.15 which is build requirement of recent
zap version

However - as per PR discussion - we continue to
build the library with Go 1.13

Signed-off-by: Alex Szakaly <[email protected]>

@cla-checker-service
Copy link

cla-checker-service bot commented Feb 13, 2022
edited
Loading

💚 CLA has been signed

@alex1989hu
Copy link
Contributor Author

/sign

@apmmachine
Copy link
Contributor

apmmachine commented Feb 13, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-02-17T08:26:32.157+0000

  • Duration: 7 min 38 sec

Test stats 🧪

Test Results
Failed 0
Passed 29
Skipped 0
Total 29

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@axw
Copy link
Member

axw commented Feb 14, 2022

@alex1989hu what is the reason for the module upgrade? Without a good reason, I would prefer not to break compatibility with older versions of Go. Users of ecszap can still use a newer version of zap without forcing it in ecszap's go.mod.

@alex1989hu
Copy link
Contributor Author

@alex1989hu what is the reason for the module upgrade? Without a good reason, I would prefer not to break compatibility with older versions of Go. Users of ecszap can still use a newer version of zap without forcing it in ecszap's go.mod.

hey @axw probably the best reason is to remediate vulnerabilities which can easily end up in the user code due to outdated ecs-logging-go-zap's uber-go/zap dependency:

If the user's code depends on ecs-logging-go-zap which transitively pulls the outdated uber-go/zap, then the user will not get the latest version of uber-go/zap - the only way is to forcing dependency update of uber-go/zap.

On the other hand, if I am not mistaken, Go 1.13 is already reached its end of life. I also found Go 1.15 is also outdated but ecs-logging-go-zap itself depends on uber-go/zap which requires >= Go 1.15

Worth to consider that uber-go/zap is also evolved in the meantime, so we have

  • v1.15.0 - 2 bugfixes
  • v1.16.0 - 5 bugfixes
  • v1.17.0 - 1 bugfix, 2 vulnerability update
  • v1.18.0 - 6 enhancements
  • v1.18.1 - 1 bugfix
  • v1.19.0 - 2 enhancements
  • v1.19.1 - 2 bugfixes
  • v1.20.0 - 4 bugfixes, 2 enhancements
  • v1.21.0 - 1 bugfix, 2 enhancements

@axw
Copy link
Member

axw commented Feb 15, 2022

Understood. Users should update to the latest Go version, and the latest zap version, to get security bug fixes and enhancements. However, it is not ecszap's responsibility to enforce this -- it's the application developer's. If ecszap were a logger in its own right which just happened to use zap undder the hood, it would be a different matter; but ecszap is a companion to zap, so it's reasonable to expect application developers to keep their zap dependency up-to-date.

Re Go versions: our stance is that the supported Go versions forms part of the semver contract. This isn't followed by all Go libraries, but it is followed by ecszap. Updating the minimum supported version would require a major version bump, and I don't think that's warranted at the moment. Again, application developers are responsible for updating their Go version.

@alex1989hu
Copy link
Contributor Author

Understood. Users should update to the latest Go version, and the latest zap version, to get security bug fixes and enhancements. However, it is not ecszap's responsibility to enforce this -- it's the application developer's. If ecszap were a logger in its own right which just happened to use zap undder the hood, it would be a different matter; but ecszap is a companion to zap, so it's reasonable to expect application developers to keep their zap dependency up-to-date.

I would like to ask you to clarify the gap between maintaining dependency of ecs-logging-go-zap vs. other elastic product like ecs-logging-java.

I think ecs-logging-java is the same as ecs-logging-go-zap: it is not a logger, it is companion to logback/log4j/log4j2.

I am confused. If we agree that is the application developer responsibility to keep their dependant library up-to-date that all the following PRs shall be not merged:

Related to semver contract concern: to reflect breaking change I propose to release v2 module of ecs-logging-go-zap

@axw
Copy link
Member

axw commented Feb 16, 2022

Fair questions! You're correct that ecs-logging-go-zap and ecs-logging-java are equivalent in this regard. I was perhaps being too extreme.

Evidently we do sometimes bump versions for vulnerabilities, log4j2 being a great case in point. That was a critical vulnerability, and we did everything we could to limit its impact. Fortunately that could be done without breaking changes. If we couldn't, we would have done what you suggest and create new major version.

I just tested bumping ecszap's zap dependency to v1.21.0, along with Go 1.13, and it works fine. Zap may not support officially support <Go1.15, but I think we can bump without also bumping the minimum supported version of Go for ecszap. How does that sound do you?

@alex1989hu
Copy link
Contributor Author

Thank you for the clarification. I can accept your quick testing experience related to Go 1.13

I am happy to rewrite the commit - reverting Go 1.13 related changes - in this PR if we can agree upon this.

Almost forget to mention: if this (modified) PR is in, could you please create tag to let application developers use the dependency with a proper tag. I know, we can use commit SHA1 as library version but having a tag would be nicer.

@axw
Copy link
Member

axw commented Feb 17, 2022

I am happy to rewrite the commit - reverting Go 1.13 related changes - in this PR if we can agree upon this.

Sounds good, please go ahead and revert the "go 1.15" change in go.mod and and the Jenkinsfile change, and I'll be happy to merge.

Almost forget to mention: if this (modified) PR is in, could you please create tag to let application developers use the dependency with a proper tag. I know, we can use commit SHA1 as library version but having a tag would be nicer.

No problem, I can create a patch release once this is merged.

@alex1989hu
Upgrade zap to v1.21.0
3c14560 
This upgrade also implies that we have to build
on Go 1.15 which is build requirement of recent
zap version

However - as per PR discussion - we continue to
build the library with Go 1.13

Signed-off-by: Alex Szakaly <[email protected]>
@alex1989hu
Copy link
Contributor Author

@axw I have just updated the PR

@axw
Copy link
Member

axw commented Feb 17, 2022

/test

@axw
Copy link
Member

axw commented Feb 17, 2022

Thanks @alex1989hu! I'll create a new release soon.

@axw axw merged commit 8ef9261 into elastic:main Feb 17, 2022
@alex1989hu alex1989hu deleted the chore/upgrade-zap branch February 17, 2022 19:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@axw axw axw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alex1989hu @apmmachine @axw