update dgraph-io/ristretto to outcaste-io/ristretto

[seanbachelder]

This is a follow-up PR to #12559. That PR was reverted due to an issue with the updated dependency (missing tag for the specified version in Git). That issue has been resolved, so I am starting a new PR.

See #12559 for additional context

FYI @mightyguava @mx-psi

[bits-bot]

All committers have signed the CLA.

[mightyguava]

Thank you for following up on this PR!

[mx-psi]

LGTM, but will double check that the git tag is correct before merging. This will have to wait until the current merge freeze is over

[mx-psi]

Unfortunately, this is still broken:

$ GOPROXY=direct go mod tidy
# some omitted lines here
# ...
go: downloading github.com/outcaste-io/ristretto v0.2.0
# ...
# some more omitted lines here
verifying github.com/outcaste-io/ristretto@v0.2.0/go.mod: checksum mismatch
	downloaded: h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=
	go.sum:     h1:iBZA7RCt6jaOr0z6hiBQ6t662/oZ6Gx/yauuPvIWHAI=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

[seanbachelder]

@mx-psi I tried creating a new project locally, ran go clean -modcache, and then ran go get github.com/outcaste-io/ristretto@v0.2.0. The go.sum file has the same checksum as present in this PR. Is there a cache in the build pipeline that could be causing issues?

[mx-psi]

My test was run locally, can you try GOPROXY=direct go get github.com/outcaste-io/ristretto@v0.2.0 and see if you get a different checksum?

[seanbachelder]

Hmm.. interesting. When I test on my work laptop (Go v1.19.1), everything goes through fine. When I test with my personal laptop (Go v1.17), I get a similar error as to what you have, but with different checksums. The downloaded checksum is different than yours and the mismatch is occurring against sum.golang.org. So, I'm slightly confused atm

[mx-psi]

Hmm.. interesting. When I test on my work laptop (Go v1.19.1), everything goes through fine. When I test with my personal laptop (Go v1.17), I get a similar error as to what you have, but with different checksums. The downloaded checksum is different than yours and the mismatch is occurring against sum.golang.org. So, I'm slightly confused atm

@seanbachelder That's (most likely) because of your mod cache, not because of the Go version. You can try running go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/ristretto@v0.2.0 to start with a clean cache.

[seanbachelder]

@seanbachelder That's (most likely) because of your mod cache, not because of the Go version. You can try running go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/ristretto@v0.2.0 to start with a clean cache.

It's weird, I'm seeing inconsistent behavior here and am not entirely sure what to think 🤔

Sometimes I see h1:T0654hri6Puf/JfTqg85QozN40gzR3Z9rJXCYJxqcAk= as the downloaded checksum:

go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/ristretto@v0.2.0
go: downloading github.com/outcaste-io/ristretto v0.2.0
go: github.com/outcaste-io/ristretto@v0.2.0: verifying module: checksum mismatch
	downloaded: h1:T0654hri6Puf/JfTqg85QozN40gzR3Z9rJXCYJxqcAk=
	sum.golang.org: h1:47w059XTZWFt01OucwjcBt8mEa3VUUhntUWEfmgVBFc=

Other times I see h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=

go clean -modcache && GOPROXY=direct go get github.com/outcaste-io/ristretto@v0.2.0
go: github.com/outcaste-io/ristretto@v0.2.0: verifying go.mod: checksum mismatch
	downloaded: h1:LahBAYw9RQqN5qXr7uHrHyRwEivBjzRj/MQDUZGkPGY=
	sum.golang.org: h1:iBZA7RCt6jaOr0z6hiBQ6t662/oZ6Gx/yauuPvIWHAI=

I'm wondering if maybe the v0.2.0 version was published incorrectly / multiple times? I've never seen anything like this

[mx-psi]

I get message 1 if I have an empty go.sum, and message 2 if my go.sum has a line for this dependency (although the last lines refers to go.sum). I also don't know where this mismatch comes from, but it's not possible for a dependency to be published twice.

Whatever the reason may be, I can't accept this PR since it will break downstream consumers. It also looks like upstream has published a new version so I feel like we need a better justification on why we should use this fork.

[seanbachelder]

Fair enough. I think I'll just close this for now. Appreciate the follow up!