reflections icon indicating copy to clipboard operation
reflections copied to clipboard
verified publisher icon oleiade

Git commit overwritten causes builds to fail

Open dan-hipschman opened this issue 5 years ago • 8 comments

Hello,

Thanks for reflections!

We're using this project and had it pinned in Gopkg.lock as follows:

[[projects]]
  digest = "1:c17f50b4ccbba568a6fc10b06a24bb8ac99077470fd48a905759f9914d631dd7"
  name = "github.com/oleiade/reflections"
  packages = ["."]
  pruneopts = "NUT"
  revision = "2b6ec3da648e3e834dc41bad8d9ed7f2dc6a9496"
  version = "v1.0.0"

Earlier today it looks like our builds started failing because the commit 2b6ec3da648e3e834dc41bad8d9ed7f2dc6a9496 no longer exists in this repo. I don't have the full history, but it looks like new commits were force pushed over old commits and and the v1.0.0 tag was updated.

Just a heads up that this will break our builds (and whoever else is using it this way). We can update the lock file on our side, but just letting you know it would be appreciated if new commits are only merged and never rebased so history is preserved, and tags aren't updated.

Thanks again! :)

dan-hipschman avatar Nov 15 '20 21:11 dan-hipschman

Please don't override tags.

filipeandre avatar Nov 16 '20 11:11 filipeandre

same issue with go modules :((

sashayakovtseva avatar Nov 17 '20 21:11 sashayakovtseva

same issue with go modules :((

I try to remove my go.sum, use go clean -modcache, then go mod tidy again. Sometimes it's work, sometimes it's not. Now, I have to hardcode the hash in go.sum to make the CI build run, but I cannot run the app in local.

huucp avatar Nov 19 '20 02:11 huucp

@huucp this works without need to hardcode hashsum:

  1. go clean --modcache
  2. rm go.sum
  3. GOSUMDB=off go mod tidy or whatever mod command you need

once done, no need for GOSUMDB=off any more

sashayakovtseva avatar Nov 19 '20 11:11 sashayakovtseva

@huucp export GOSUMDB=off && go clean -modcache && rm go.sum && go mod tidy

thienna avatar Nov 23 '20 08:11 thienna

That solution is sadly not possible when using external systems, e.g. GitHub's Dependabot:

verifying github.com/oleiade/[email protected]/go.mod: checksum mismatch
	downloaded: h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
	go.sum:     h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Maybe releasing a 1.0.1 could work?

lagren avatar Nov 27 '20 02:11 lagren

Hi folks,

Really sorry about that!! Thanks for reporting it @dan-hipschman-od (and your kindness about it) much appreciated. I updated all my libraries to support go modules in one go and wanted to "mark the hit" (like we say in french). I realize now, in hindsight, that rewriting the master history, and overriding the existing release was a terrible idea. That's a learning for me 👍

I will release a v1.0.1 right away to address the issue that have been mentioned above. Thanks for your patience 🦕

oleiade avatar Nov 27 '20 08:11 oleiade

I have pushed a v1.0.1 tag, and published a release. Let me know if you're still experiencing issues after bumping the version you use on your side. Thanks for your support 🙏

oleiade avatar Nov 27 '20 09:11 oleiade