Checksum mismatch downloading argo-rollouts v1.2.0, v1.2.1 and GOPROXY=direct

argoproj / argo-rollouts

Progressive Delivery for Kubernetes

https://argo-rollouts.readthedocs.io/

Apache License 2.0

2.8k stars 876 forks source link

Checksum mismatch downloading argo-rollouts v1.2.0, v1.2.1 and GOPROXY=direct #2065

Closed kevinburkesegment closed 2 years ago

kevinburkesegment commented 2 years ago

Hi, did you happen to push different content to the same Git tag, or change the released content at the URL? I had a checksum mismatch in my local go.sum for this module and version.

verifying github.com/argoproj/argo-rollouts@v1.2.0: checksum mismatch
    downloaded: h1:+4a2BRD+Fjox5rcLEKmcUFmpwPhR5oaWFe2CrQZK31o=
    go.sum:     h1:3CxEe2tyeZd9I6qWQo7RUAYyGb3qAnXo4SgSVBJBEBs=

kevinburkesegment commented 2 years ago

Here's when I downloaded the "wrong" checksum

$ cat /Users/kevinburke/pkg/mod/cache/download/github.com/argoproj/argo-rollouts/@v/v1.2.0.info
{"Version":"v1.2.0","Time":"2022-03-21T20:45:35Z"}

Here's the contents of sum.golang.org

$ curl https://sum.golang.org/lookup/github.com/argoproj/argo-rollouts@v1.2.0
9679416
github.com/argoproj/argo-rollouts v1.2.0 h1:3CxEe2tyeZd9I6qWQo7RUAYyGb3qAnXo4SgSVBJBEBs=
github.com/argoproj/argo-rollouts v1.2.0/go.mod h1:k4e3rCEMfta7WfJvOmkSHsPhqq2IqfUf8swth+pTQ+E=

go.sum database tree
10787463
O3PJsqC/8T/F1xzBCjaCgBpO7CXjV/sL3wdnd68SkrA=

— sum.golang.org Az3grm23DQTu7ox8v/isf4KYl0GwDXWxvLNzC/wk+a0QiKGtsKsh2fwPBDub7N4i7BIW08LQM/OjuWcjdXZufj2gdgc=

kevinburkesegment commented 2 years ago

Aha, I figured it out - the module in proxy.golang.org works fine but the contents behind the proxy - ie if you do GOPROXY=direct - do not match up.

jessesuen commented 2 years ago

Aha, I figured it out - the module in proxy.golang.org works fine but the contents behind the proxy - ie if you do GOPROXY=direct - do not match up.

Yes I'm pretty sure tag contents were not changed. Can we close this?

kevinburkesegment commented 2 years ago

Sorry - what I'm trying to tell you is the contents in the proxy don't match what's on Github. That indicates that the tag contents were changed at some point.

At the very least, if the proxy drops the cached version and decides to re-fetch it from Github every one of your users will run into a problem here.

kevinburkesegment commented 2 years ago

Here's the diff I see between what's available for download from proxy.golang.org and what's available if I check out v1.2.0 of the source directly, with these commands (which Go runs):

curl -w '' -o /tmp/argo-v1.2.0-proxy.zip proxy.golang.org/github.com/argoproj/argo-rollouts/@v/v1.2.0.zip

git -c core.autocrlf=input -c core.eol=lf archive --format=zip --prefix=prefix/ 08cf10e554fe99c24c8a37ad07fadd9318e4c8a1 > /tmp/argo-v1.2.0-direct.zip

$ diff -r ./github.com/argoproj/argo-rollouts@v1.2.0 ./prefix
diff -r ./github.com/argoproj/argo-rollouts@v1.2.0/Dockerfile ./prefix/Dockerfile
15,17c15
< RUN wget https://install.goreleaser.com/github.com/golangci/golangci-lint.sh  && \
<     chmod +x ./golangci-lint.sh && \
<     ./golangci-lint.sh -b $GOPATH/bin && \
---
> RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.44.0 && \

The latter bit - which looks like commit 08cf10e554fe99c24c8a37ad07fadd9318e4c8a1 - is what's in the v1.2.0 git tag, the former bit is what's in the proxy.

kevinburkesegment commented 2 years ago

It also looks like there were two different CI builds (for two different commits) attempted for v1.2.0, and I am guessing for v1.2.1 as well

https://github.com/argoproj/argo-rollouts/runs/5634127235?check_suite_focus=true https://github.com/argoproj/argo-rollouts/runs/5634458780?check_suite_focus=true

jessesuen commented 2 years ago

Ohh I think you may be right about this. The release process is such that the tag comes first, and then the build. This sometimes leads to situation where even though the tip of the branch passed, the release action fails and needs a minor fixing and retagging.

kevinburkesegment commented 2 years ago

FYI I get the same issue when I try to download v1.2.1

$ GO111MODULE=on GOPROXY=direct go mod download github.com/argoproj/argo-rollouts@v1.2.1
go: github.com/argoproj/argo-rollouts@v1.2.1: verifying module: checksum mismatch
    downloaded: h1:8txnRKukYXvWMlLRQ4biixj9FdrLEGECyrW2eFsLTyc=
    sum.golang.org: h1:4hSgKEqpQsZreZBv+XcLsB+oBaRGMVW19nMScx5ikIQ=

which means that the last two releases are broken for anyone who does not want to download from proxy.golang.org. I'm happy to go through the same process as above to figure out the diff between the proxy.golang.org version and the tagged release if you'd like.

Is there a way you could tag a new release?

kevinburkesegment commented 2 years ago

Hey, just wondering if there's any chance you could tag a new release, even tagging 1.2.2 to point at the same commit that is currently present in proxy.golang.org would be helpful. Thanks.

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity.

zachaller commented 2 years ago

Is this working for 1.3.1?

diversario commented 1 year ago

Same for 1.3.2:

        github.com/argoproj/argo-rollouts/pkg/apis/rollouts/v1alpha1: github.com/argoproj/argo-rollouts@v1.3.2: verifying module: checksum mismatch
        downloaded: h1:C+sjcCQHjcdIk9ChLF62+muFuodGmqfWHhdcufxOQ3I=
        sum.golang.org: h1:SCSokQTpVWzB1emZYWNKHzknENYoweix2hWvdWxE7xA=

diversario commented 1 year ago

I see it's closed in 1.4, but is there a way to use earlier packages with GOPROXY=direct?