argo-rollouts icon indicating copy to clipboard operation
argo-rollouts copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Checksum mismatch downloading argo-rollouts v1.2.0, v1.2.1 and GOPROXY=direct

Open kevinburkesegment opened this issue 2 years ago • 9 comments

Hi, did you happen to push different content to the same Git tag, or change the released content at the URL? I had a checksum mismatch in my local go.sum for this module and version.

verifying github.com/argoproj/[email protected]: checksum mismatch
	downloaded: h1:+4a2BRD+Fjox5rcLEKmcUFmpwPhR5oaWFe2CrQZK31o=
	go.sum:     h1:3CxEe2tyeZd9I6qWQo7RUAYyGb3qAnXo4SgSVBJBEBs=

kevinburkesegment avatar Jun 01 '22 18:06 kevinburkesegment

Here's when I downloaded the "wrong" checksum

$ cat /Users/kevinburke/pkg/mod/cache/download/github.com/argoproj/argo-rollouts/@v/v1.2.0.info
{"Version":"v1.2.0","Time":"2022-03-21T20:45:35Z"}

Here's the contents of sum.golang.org

$ curl https://sum.golang.org/lookup/github.com/argoproj/[email protected]
9679416
github.com/argoproj/argo-rollouts v1.2.0 h1:3CxEe2tyeZd9I6qWQo7RUAYyGb3qAnXo4SgSVBJBEBs=
github.com/argoproj/argo-rollouts v1.2.0/go.mod h1:k4e3rCEMfta7WfJvOmkSHsPhqq2IqfUf8swth+pTQ+E=

go.sum database tree
10787463
O3PJsqC/8T/F1xzBCjaCgBpO7CXjV/sL3wdnd68SkrA=

— sum.golang.org Az3grm23DQTu7ox8v/isf4KYl0GwDXWxvLNzC/wk+a0QiKGtsKsh2fwPBDub7N4i7BIW08LQM/OjuWcjdXZufj2gdgc=

kevinburkesegment avatar Jun 01 '22 19:06 kevinburkesegment

Aha, I figured it out - the module in proxy.golang.org works fine but the contents behind the proxy - ie if you do GOPROXY=direct - do not match up.

kevinburkesegment avatar Jun 01 '22 20:06 kevinburkesegment

Aha, I figured it out - the module in proxy.golang.org works fine but the contents behind the proxy - ie if you do GOPROXY=direct - do not match up.

Yes I'm pretty sure tag contents were not changed. Can we close this?

jessesuen avatar Jun 01 '22 20:06 jessesuen

Sorry - what I'm trying to tell you is the contents in the proxy don't match what's on Github. That indicates that the tag contents were changed at some point.

At the very least, if the proxy drops the cached version and decides to re-fetch it from Github every one of your users will run into a problem here.

kevinburkesegment avatar Jun 01 '22 20:06 kevinburkesegment

Here's the diff I see between what's available for download from proxy.golang.org and what's available if I check out v1.2.0 of the source directly, with these commands (which Go runs):

curl -w '' -o /tmp/argo-v1.2.0-proxy.zip proxy.golang.org/github.com/argoproj/argo-rollouts/@v/v1.2.0.zip

git -c core.autocrlf=input -c core.eol=lf archive --format=zip --prefix=prefix/ 08cf10e554fe99c24c8a37ad07fadd9318e4c8a1 > /tmp/argo-v1.2.0-direct.zip

$ diff -r ./github.com/argoproj/[email protected] ./prefix
diff -r ./github.com/argoproj/[email protected]/Dockerfile ./prefix/Dockerfile
15,17c15
< RUN wget https://install.goreleaser.com/github.com/golangci/golangci-lint.sh  && \
<     chmod +x ./golangci-lint.sh && \
<     ./golangci-lint.sh -b $GOPATH/bin && \
---
> RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.44.0 && \

The latter bit - which looks like commit 08cf10e554fe99c24c8a37ad07fadd9318e4c8a1 - is what's in the v1.2.0 git tag, the former bit is what's in the proxy.

kevinburkesegment avatar Jun 01 '22 20:06 kevinburkesegment

It also looks like there were two different CI builds (for two different commits) attempted for v1.2.0, and I am guessing for v1.2.1 as well

https://github.com/argoproj/argo-rollouts/runs/5634127235?check_suite_focus=true https://github.com/argoproj/argo-rollouts/runs/5634458780?check_suite_focus=true

kevinburkesegment avatar Jun 01 '22 22:06 kevinburkesegment

Ohh I think you may be right about this. The release process is such that the tag comes first, and then the build. This sometimes leads to situation where even though the tip of the branch passed, the release action fails and needs a minor fixing and retagging.

jessesuen avatar Jun 02 '22 00:06 jessesuen

FYI I get the same issue when I try to download v1.2.1

$ GO111MODULE=on GOPROXY=direct go mod download github.com/argoproj/[email protected]
go: github.com/argoproj/[email protected]: verifying module: checksum mismatch
	downloaded: h1:8txnRKukYXvWMlLRQ4biixj9FdrLEGECyrW2eFsLTyc=
	sum.golang.org: h1:4hSgKEqpQsZreZBv+XcLsB+oBaRGMVW19nMScx5ikIQ=

which means that the last two releases are broken for anyone who does not want to download from proxy.golang.org. I'm happy to go through the same process as above to figure out the diff between the proxy.golang.org version and the tagged release if you'd like.

Is there a way you could tag a new release?

kevinburkesegment avatar Jun 02 '22 04:06 kevinburkesegment

Hey, just wondering if there's any chance you could tag a new release, even tagging 1.2.2 to point at the same commit that is currently present in proxy.golang.org would be helpful. Thanks.

kevinburkesegment avatar Jul 05 '22 18:07 kevinburkesegment

This issue is stale because it has been open 60 days with no activity.

github-actions[bot] avatar Oct 19 '22 04:10 github-actions[bot]

Is this working for 1.3.1?

zachaller avatar Oct 20 '22 01:10 zachaller

Same for 1.3.2:

        github.com/argoproj/argo-rollouts/pkg/apis/rollouts/v1alpha1: github.com/argoproj/[email protected]: verifying module: checksum mismatch
        downloaded: h1:C+sjcCQHjcdIk9ChLF62+muFuodGmqfWHhdcufxOQ3I=
        sum.golang.org: h1:SCSokQTpVWzB1emZYWNKHzknENYoweix2hWvdWxE7xA=

diversario avatar Jan 27 '23 11:01 diversario

I see it's closed in 1.4, but is there a way to use earlier packages with GOPROXY=direct?

diversario avatar Jan 27 '23 11:01 diversario