build(deps): bump github.com/Microsoft/hcsshim from 0.12.7 to 0.12.8

[dependabot]

Bumps github.com/Microsoft/hcsshim from 0.12.7 to 0.12.8.

Release notes

Sourced from github.com/Microsoft/hcsshim's releases.

v0.12.8

What's Changed

• Fixing typo by @​ritikaguptams in microsoft/hcsshim#2289
• [release/0.12] Update containerd to v1.7.23 by @​dmcgowan in microsoft/hcsshim#2295

Full Changelog: microsoft/hcsshim@v0.12.7...v0.12.8

Commits

• 8d48d87 Update containerd to v1.7.23 (#2295)
• 4ad298f Fixing typo (#2289)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[apostasie]

Changelog is a bit head scratching.
Not sure why they would move from "github.com/containerd/errdefs" to "github.com/containerd/containerd/errdefs".

Anyhow, updating to errdefs 0.3 is definitely a breaking change, so, I don't think we can update this for the time being.

[apostasie]

So, it is actually containerd 1.7.23 which updated from errdefs 0.1 to 0.3?

Not sure I understand why - isn't it just breaking? Since we all moved to containerd/errdefs (both on main and 1.7 branch) - 7cab42c - and errdefs 0.1 is apparently not compatible with 0.3

@AkihiroSuda not sure what the story is - are we supposed to revert to containerd/containerd/errdefs? or upgrade everything to latest errdefs?

[apostasie]

Tentatively #3585

[apostasie]

Update:

It looks like things might be fine with nerdctl 1.7 (see linked PR)

For main/v2, it seems to be more of a problem though - since this commit microsoft/hcsshim@8d48d87#diff-870cda2e943cddd5b705db9dee89be152789f5e106c9a12b3ba7336adad94ddbR9 is now forcing a transitive dependency on containerd (v1.7 in their case), we would now pull that in as well and depend on containerd v1.7 again - in a context where hcsshim has been reluctant to migrate to v2 (microsoft/hcsshim#1958), and their main branch is breaking compatibility (which will require containerd changes).
Clearly, containerd will also face the same problem - https://github.com/containerd/containerd/blob/main/go.mod#L10 - so, curious what will they do.

I am still confused as to why we would make these changes to errdefs that late in the v2 cycle.

@AkihiroSuda ideally, hcsshim would retract that release - and/or we pin it here and stay on 0.12.7 until it is figured out.

[AkihiroSuda]

Needs the next RC of containerd

• Update hcsshim version to v0.12.8 containerd#10866

The dependency on v1.7 is annoying but probably not worth retracting the release

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[apostasie]

Needs the next RC of containerd

• Update hcsshim version to v0.12.8 containerd#10866

The dependency on v1.7 is annoying but probably not worth retracting the release

So containerd v2 will depend on containerd v1.7?

[AkihiroSuda]

Yes, at least in v2.0.0

[apostasie]

Yes, at least in v2.0.0

And the reason is because we want to have containerd/errdefs v0.3 instead of v0.1?

[AkihiroSuda]

Yes

[apostasie]

Yes

I am sure it is worth it.

[apostasie]

Yes

To voice opinions clearly: this would be bad for anyone depending on containerd, or nerdctl, and will make things more confusing. It does not seem like there is any value in the errdefs update, and only obvious downsides - especially at a time like rc5+. We have been much more conservative on minor dependencies updates.
Am I missing something here?

[AkihiroSuda]

FYI: this was discussed in:

• Update errdefs to latest for 2.0 containerd#10478

Related to the 1.7 release, 1.7.23 partially reverted the errdefs switch and updated to errdef 0.3.0 to address the package instability.

[apostasie]

FYI: this was discussed in:

• Update errdefs to latest for 2.0 containerd#10478

Related to the 1.7 release, 1.7.23 partially reverted the errdefs switch and updated to errdef 0.3.0 to address the package instability.

There does not seem to be a discussion in there. The argument about "a need to update", or "package instability" came with no issue pointed at, no details (and was first made on Jul 17).
errdefs 0.2 came in September, and 0.3 a couple of weeks ago.

The sheer fact that the author made hcsshim revert to containerd/errdefs 1.7 makes it clear enough what is going on.