search

kubernetes-sigs / application

Application metadata descriptor CRD
Apache License 2.0
511 stars 162 forks source link

Consider releasing a new tag? #230

Closed Ben131-Go closed 1 year ago

Ben131-Go commented 1 year ago

Background

Comparing latest tag version v0.8.3 of sigs.k8s.io/application from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
"name": "GitHub",
"email": "noreply@github.com",
"date": "2020-06-08T23:39:12Z"
}

commit time of the copy on proxy.golang.org

{"Version":"v0.8.3","Time":"2020-04-13T18:34:46Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.8.3 tag of sigs.k8s.io/application might have been retagged after a minor edition on github.
In this case, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get sigs.k8s.io/application@v0.8.3, the following error occurs.


go: downloading sigs.k8s.io/application v0.8.3
go: sigs.k8s.io/application@v0.8.3: verifying module: checksum mismatch
downloaded: h1:dL2dYfNFZIdpwLc/pLecfW5fLPtlAvBv5Vwk+4EalV0=
sum.golang.org: h1:5UETobiVhxTkKn3pIESImXiMNmSg3VkM5+JvmYGDPko=

SECURITY ERROR This download does NOT match the one reported by the checksum server. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt.

For more information, see 'go help module-auth'.



## Solution
### 1. Release a new tag
I would recommend releasing a new tag to ensure dependency copy in proxy.golang.org and github in sync.

## References
+ <https://proxy.golang.org/>
k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot commented 1 year ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

You can:

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-ci-robot commented 1 year ago

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to [this](https://github.com/kubernetes-sigs/application/issues/230#issuecomment-1617476482): >The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. > >This bot triages issues according to the following rules: >- After 90d of inactivity, `lifecycle/stale` is applied >- After 30d of inactivity since `lifecycle/stale` was applied, `lifecycle/rotten` is applied >- After 30d of inactivity since `lifecycle/rotten` was applied, the issue is closed > >You can: >- Reopen this issue with `/reopen` >- Mark this issue as fresh with `/remove-lifecycle rotten` >- Offer to help out with [Issue Triage][1] > >Please send feedback to sig-contributor-experience at [kubernetes/community](https://github.com/kubernetes/community). > >/close not-planned > >[1]: https://www.kubernetes.dev/docs/guide/issue-triage/ Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.