I really don't understand. Maybe I'm stupid. But I don't see the issue.
I work with go daily, but I'm pretty sure our binary is pegged to a specific go version, using go.mod
I don't see in what scenario I would add a dependency and it would unexpectedly upgrade my go toolchain? Isn't my toolchain version pegged by a go.mod file?
This article may raise a valid concern, but it doesn't propose a clear alternative or solution.
I'm not a go truther but there seems to be lot of pessimism around it (error handling, generics, and now toolchain) and not enough optimism.
The go version line in go.mod doesn't peg the version of the actual compiler, it only pegs the version of the language. It's analogous to flags like --std=c++20 in C++ compilers. If you have code that is, for example, valid go 1.17 and also valid go 1.18, but it behaves differently somehow between the two for reasons that are considered implementation details instead of language changes (for instance, depending on behavior changes in standard libraries), the behavior you get will depend on the version of the go tool that you happen to be running when you build it, not by what's defined in go.mod. That's sort of what's changing in go 1.21 - there's now a "toolchain" directive to specify the precise compiler version that should be used, which is slightly independent of the version of the language semantics that you want to apply.
But of course, it's still not that clear - because the toolchain directive is only respected in the "main" module, and it's also still only a minimum. That means you can't actually guarantee that your module will always be built with exactly that toolchain version - if it's included in someone else's module then it will be built with whatever they happen to be running, and it can always be built with a later version no matter what.
I think the part they take issue with that might surprise you is if you decide to start using a dependency, and that dependency declares in it's go.mod file (not yours) that it needs a newer version than yours, and that triggers a download and toolchain swap.
I think it's... Iffy. I'd prefer it to fail and for it to be up to me to upgrade, personally.
I think that's only what happens for binary (tool) dependencies that are built on their own, though. For library dependencies that you're only building against, their "toolchain" directive would be ignored, because they're not the main module (https://go.dev/doc/toolchain).
Idk, I just looked at the go.mod docs (I assume go.mod is the current standard but I really can't say for certain, the go ecosystem is more of a cluster than python, imo): https://go.dev/ref/mod#go-mod-file-go
> The go directive sets the minimum version of Go required to use this module. Before Go 1.21, the directive was advisory only; now it is a mandatory requirement: Go toolchains refuse to use modules declaring newer Go versions.
Seems like a non-issue. I'm still unclear what TFA is saying
IIRC the go version in go.mod is a minimum go toolchain version. In the future if you pull in a dep with a higher minimum toolchain version, it would be unbuildable without upgrading your toolchain. I expect there is an env variable to disable this, though.
I work with go daily, but I'm pretty sure our binary is pegged to a specific go version, using go.mod
I don't see in what scenario I would add a dependency and it would unexpectedly upgrade my go toolchain? Isn't my toolchain version pegged by a go.mod file?
This article may raise a valid concern, but it doesn't propose a clear alternative or solution.
I'm not a go truther but there seems to be lot of pessimism around it (error handling, generics, and now toolchain) and not enough optimism.