Checksum mismatch downloading argo-rollouts v1.2.0, v1.2.1 and GOPROXY=direct #2065
Comments
|
Here's when I downloaded the "wrong" checksum Here's the contents of sum.golang.org |
kevinburkesegment
changed the title
|
Aha, I figured it out - the module in proxy.golang.org works fine but the contents behind the proxy - ie if you do GOPROXY=direct - do not match up. |
Yes I'm pretty sure tag contents were not changed. Can we close this? |
|
Sorry - what I'm trying to tell you is the contents in the proxy don't match what's on Github. That indicates that the tag contents were changed at some point. At the very least, if the proxy drops the cached version and decides to re-fetch it from Github every one of your users will run into a problem here. |
|
Here's the diff I see between what's available for download from proxy.golang.org and what's available if I check out v1.2.0 of the source directly, with these commands (which Go runs): The latter bit - which looks like commit 08cf10e - is what's in the v1.2.0 git tag, the former bit is what's in the proxy. |
|
It also looks like there were two different CI builds (for two different commits) attempted for v1.2.0, and I am guessing for v1.2.1 as well https://github.com/argoproj/argo-rollouts/runs/5634127235?check_suite_focus=true |
|
Ohh I think you may be right about this. The release process is such that the tag comes first, and then the build. This sometimes leads to situation where even though the tip of the branch passed, the release action fails and needs a minor fixing and retagging. |
|
FYI I get the same issue when I try to download v1.2.1 which means that the last two releases are broken for anyone who does not want to download from proxy.golang.org. I'm happy to go through the same process as above to figure out the diff between the proxy.golang.org version and the tagged release if you'd like. Is there a way you could tag a new release? |
Versions v1.2.0 and v1.2.1 both featured tags that were pushed, deleted, and then re-pushed. Because proxy.golang.org cached the first version of each, this means the source code downloaded from proxy.golang.org, and directly from Github. This means that anyone who does _not_ want to use proxy.golang.org (like me) cannot import the source code, because it fails checksum verification. Creating a new version tag (and ensuring that the tag only gets pushed once) should resolve this issue, since users can upgrade to the new version. Updates argoproj#2065.
Versions v1.2.0 and v1.2.1 both featured tags that were pushed, deleted, and then re-pushed. Because proxy.golang.org cached the first version of each, this means the source code downloaded from proxy.golang.org, and directly from Github. This means that anyone who does _not_ want to use proxy.golang.org (like me) cannot import the source code, because it fails checksum verification. Creating a new version tag (and ensuring that the tag only gets pushed once) should resolve this issue, since users can upgrade to the new version. Updates argoproj#2065.
|
Hey, just wondering if there's any chance you could tag a new release, even tagging 1.2.2 to point at the same commit that is currently present in proxy.golang.org would be helpful. Thanks. |
|
This issue is stale because it has been open 60 days with no activity. |
|
Is this working for 1.3.1? |
|
Same for 1.3.2: |
|
I see it's closed in 1.4, but is there a way to use earlier packages with |
Hi, did you happen to push different content to the same Git tag, or change the released content at the URL? I had a checksum mismatch in my local go.sum for this module and version.
The text was updated successfully, but these errors were encountered: