datadog-agent icon indicating copy to clipboard operation
datadog-agent copied to clipboard

Published 20 hours ago verified publisher icon DataDog

update dgraph-io/ristretto to outcaste-io/ristretto

Open seanbachelder opened this issue 3 years ago • 8 comments
trafficstars

This is a follow-up PR to https://github.com/DataDog/datadog-agent/pull/12559. That PR was reverted due to an issue with the updated dependency (missing tag for the specified version in Git). That issue has been resolved, so I am starting a new PR.

See https://github.com/DataDog/datadog-agent/pull/12559 for additional context

FYI @mightyguava @mx-psi

seanbachelder avatar Sep 22 '22 23:09 seanbachelder

CLA assistant check
All committers have signed the CLA.

bits-bot avatar Sep 22 '22 23:09 bits-bot

Thank you for following up on this PR!

mightyguava avatar Sep 22 '22 23:09 mightyguava

Unfortunately, this is still broken:

$ GOPROXY=direct go mod tidy
# some omitted lines here
# ...
go: downloading github.com/outcaste-io/ristretto v0.2.0
# ...
# some more omitted lines here
verifying github.com/outcaste-io/[email protected]/go.mod: checksum mismatch
	downloaded: h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=
	go.sum:     h1:iBZA7RCt6jaOr0z6hiBQ6t662/oZ6Gx/yauuPvIWHAI=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

mx-psi avatar Oct 13 '22 15:10 mx-psi

@mx-psi I tried creating a new project locally, ran go clean -modcache, and then ran go get github.com/outcaste-io/[email protected]. The go.sum file has the same checksum as present in this PR. Is there a cache in the build pipeline that could be causing issues?

seanbachelder avatar Oct 13 '22 17:10 seanbachelder

My test was run locally, can you try GOPROXY=direct go get github.com/outcaste-io/[email protected] and see if you get a different checksum?

mx-psi avatar Oct 13 '22 18:10 mx-psi

Hmm.. interesting. When I test on my work laptop (Go v1.19.1), everything goes through fine. When I test with my personal laptop (Go v1.17), I get a similar error as to what you have, but with different checksums. The downloaded checksum is different than yours and the mismatch is occurring against sum.golang.org. So, I'm slightly confused atm

seanbachelder avatar Oct 13 '22 19:10 seanbachelder

Hmm.. interesting. When I test on my work laptop (Go v1.19.1), everything goes through fine. When I test with my personal laptop (Go v1.17), I get a similar error as to what you have, but with different checksums. The downloaded checksum is different than yours and the mismatch is occurring against sum.golang.org. So, I'm slightly confused atm

@seanbachelder That's (most likely) because of your mod cache, not because of the Go version. You can try running go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/[email protected] to start with a clean cache.

mx-psi avatar Oct 14 '22 08:10 mx-psi

@seanbachelder That's (most likely) because of your mod cache, not because of the Go version. You can try running go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/[email protected] to start with a clean cache.

It's weird, I'm seeing inconsistent behavior here and am not entirely sure what to think 🤔

Sometimes I see h1:T0654hri6Puf/JfTqg85QozN40gzR3Z9rJXCYJxqcAk= as the downloaded checksum:

go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/[email protected]
go: downloading github.com/outcaste-io/ristretto v0.2.0
go: github.com/outcaste-io/[email protected]: verifying module: checksum mismatch
	downloaded: h1:T0654hri6Puf/JfTqg85QozN40gzR3Z9rJXCYJxqcAk=
	sum.golang.org: h1:47w059XTZWFt01OucwjcBt8mEa3VUUhntUWEfmgVBFc=

Other times I see h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=

go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/[email protected]
go: github.com/outcaste-io/[email protected]: verifying go.mod: checksum mismatch
	downloaded: h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=
	sum.golang.org: h1:iBZA7RCt6jaOr0z6hiBQ6t662/oZ6Gx/yauuPvIWHAI=

I'm wondering if maybe the v0.2.0 version was published incorrectly / multiple times? I've never seen anything like this

seanbachelder avatar Oct 14 '22 20:10 seanbachelder

I get message 1 if I have an empty go.sum, and message 2 if my go.sum has a line for this dependency (although the last lines refers to go.sum). I also don't know where this mismatch comes from, but it's not possible for a dependency to be published twice.

Whatever the reason may be, I can't accept this PR since it will break downstream consumers. It also looks like upstream has published a new version so I feel like we need a better justification on why we should use this fork.

mx-psi avatar Oct 17 '22 07:10 mx-psi

Fair enough. I think I'll just close this for now. Appreciate the follow up!

seanbachelder avatar Oct 17 '22 19:10 seanbachelder