You have likely already seen this, but some chance related to #33513 (comment)

Note the error text returned by that URL:

not found: k8s.io/client-go@v12.0.0+incompatible: invalid version: +incompatible suffix not allowed: module contains a go.mod file, so semantic import versioning is required

See https://tip.golang.org/doc/go1.13#version-validation for more detail and advice on fixes and workarounds.

See also #32695.

Duplicate of #32805

FWIW, a bit more detail.

The v12.0.0 go.mod file for k8s.io/client-go appears to be missing the required /v12 at the end of the module line:

https://github.com/kubernetes/client-go/blob/v12.0.0/go.mod#L3

module k8s.io/client-go

From the cmd/go documentation

In semantic versioning, changing the major version number indicates a lack of backwards compatibility with earlier versions. To preserve import compatibility, the go command requires that modules with major version v2 or later use a module path with that major version as the final element. For example, version v2.0.0 of example.com/m must instead use module path example.com/m/v2, and packages in that module would use that path as their import path prefix, as in example.com/m/v2/sub/pkg. Including the major version number in the module path and import paths in this way is called "semantic import versioning".

CC @liggitt @nikhita

Some additional context is that proxy.golang.org was recently updated to use 1.13beta1, which included "invalidating some old module versions that are currently being served from proxy.golang.org but are no longer valid in 1.13".

Some more details from the one of the announcements on golang-dev:

As an update, related to https://golang.org/issue/32805 and https://golang.org/issue/32879#issuecomment-507861612:
Go 1.13 includes some changes to the go command which tighten up the validation of module versions. Now that we have upgraded proxy.golang.org to use the 1.13beta1 version of the go command, we will be invalidating old module versions that are currently being served from proxy.golang.org but are no longer valid in 1.13. We don't expect any major issues from users since the request count is low for each of the module versions that will be invalidated, but please file issues against the issue tracker, prefixed "proxy.golang.org", if you encounter any problems. Thanks to everyone who has filed issues so far and given us feedback!

@bcmills i'm sorry to reopen this but this has broken our Go 1.12 builds, we're not in a position to upgrade to 1.13beta1. We need a solution that restores functionality for Go 1.12.

@davecheney, a replace directive (as described in the 1.13 release notes) should also work in 1.12. Please give it a try.

Two other potential options when using the Go 1.12 go command:

1. Use an alternate proxy. For example, this seemed to work just now, perhaps because goproxy.io is not yet running Go 1.13:

GOPROXY=https://goproxy.io go get -d k8s.io/client-go@v12.0.0

2. Use direct. This also seemed to work just now:

GOPROXY=direct go get -d k8s.io/client-go@v12.0.0

@bcmills this worked last week. Our builds built last week using Go 1.12. They worked on Monday. Something has broken in proxy.golang.org that means it no longer works as it did just a few days ago.

It's unreasonable to ask users to change their go.mod configuration because proxy.golang.org can no longer serve valid artefacts that it served a few days ago.

Further,

We don't expect any major issues from users since the request count is low for each of the module versions that will be invalidated, but please file issues against the issue tracker, prefixed "proxy.golang.org", if you encounter any problems.

Clearly this is not true, v12 of client-go is a very popular dependency and now it is inaccessible for Go 1.12 users using proxy.golang.org.

One other possible solution is I think 1.12 can be forced to use a pseudo-version with a commit hash corresponding to the v12.0.0 tag of k8s.io/client-go.

In particular, this works:

GOPROXY=https://proxy.golang.org go get -d k8s.io/client-go@78d2af7

with this result recorded in go.mod:

require k8s.io/client-go v0.0.0-20190620085101-78d2af792bab

78d2af792bab is the commit hash for v12.0.0 of client-go.

An alternative path to a similar result:

echo 'replace k8s.io/client-go => k8s.io/client-go 78d2af7' >> go.mod
go list -m all

which then results in a go.mod with:

replace k8s.io/client-go => k8s.io/client-go v0.0.0-20190620085101-78d2af792bab

It's unreasonable to ask users to change their go.mod configuration because proxy.golang.org can no longer serve valid artefacts that it served a few days ago.

The v12.0.0 artifact is not valid and never was — as far as I'm aware the requirement for semantic import paths has been clearly documented since Go 1.11.

The fact that v12.0.0+incompatible could be fetched in certain circumstances by playing games with manually-added suffixes was a bug, plain and simple. The fact that that bug was temporarily exacerbated by the proxy's /list endpoint is unfortunate, but now that's been fixed too.

See also kubernetes/client-go#631.

The fact that v12.0.0+incompatible could be fetched in certain circumstances by playing games with manually-added suffixes was a bug, plain and simple.

It may be a bug, but the bug exists in Go 1.12, the version that produced that line. Saying it's a bug is fine, but breaking projects that were happily working up to a few days ago is pretty unfriendly behaviour.

@bcmills given that go.mod files with lines ending in +incompatible can no longer be served via proxies, should the go command reject them completely when operating in proxy mode?

The bug in Go 1.12 required manual exploitation by users (adding an explicit +incompatible suffix). Otherwise, they would get either an error or a version rewritten to the valid equivalent (v0.0.0-20190620085101-78d2af792bab).

The only users who would have picked it up without manual intervention would have picked it up from a cache or proxy entry introduced by some other module that manually exploited the bug.

Moreover, there is a simple workaround available: replace the invalid version with its valid equivalent.

Adding the same validation to the proxy path is #32955, but that's a harder problem in general because the protocol erases version control history. (It's possible to do for invalid +incompatible versions, but not for invalid pseudo-versions because the proxy does not supply compete version-control history.)

Thanks for clarifying. If +incompatible is a bug or represents incorrect manual editing, should the go tool error out when it finds those lines? If the hypothesis is the impact of the proxy.golang.org change is small, then there should only be a small number of +incompatible lines in the wild, so rejecting them quickly so module authors can fix the problem seems line a nice thing to do. Would you agree?

+incompatible is only a bug when used with a version that either has an explicit go.mod file or is not actually incompatible with the given module path.

Those really are rare: we ran several analyses to verify that (see #27173 (comment), and the folks running proxy.golang.org did their own internal analysis before removing the invalid versions).

I don't think they are as rare as you believe.

Here are two that I found in the go.mod file for client-go

https://github.com/kubernetes/client-go/blob/master/go.mod#L8

https://github.com/kubernetes/client-go/blob/master/go.mod#L21

@davecheney, please read my replies above more carefully:

+incompatible is only a bug when used with a version that either has an explicit go.mod file or is not actually incompatible with the given module path.

The two versions you note in your comment above both lack explicit go.mod files, and are therefore correct uses of the +incompatible annotation.

One quick comment: +incompatible itself is not a problem, nor is it rare.

Any module can import a v2+ package that has not opted into modules, and if the imported v2+ package has a valid semver tag, the imported package will be recorded with an +incompatible suffix in the importing module's go.mod file. That is fine and expected behavior, and an important transitional mechanism that helps modules consume non-module v2+ packages.

Using your first example:
github.com/Azure/go-autorest v11.1.2+incompatible

That is fine, because github.com/Azure/go-autorest@v11.1.2 itself does not have a go.mod file.

The main problem being discussed in this thread is when a v2+ package attempts to adopt modules, but does not follow the requirement listed in the doc quote in
#33558 (comment).

In particular:

The v12.0.0 go.mod file for k8s.io/client-go appears to be missing the required /v12 at the end of the module line:

https://github.com/kubernetes/client-go/blob/v12.0.0/go.mod#L3

module k8s.io/client-go

That module line in the client-go go.mod file should read module k8s.io/client-go/v12 (note the trailing /v12) to conform with that documentation quote in #33558 (comment).

ahh, ok. Thanks for explaining. So the rules for +incompatible are:

1. if the module does not have a go.mod file and has a sevmer tag above v1, then it is ok to list it as +incompatible. (I'm assuming the go tool, or the proxy, strips off the +incompatable at some point)
2. If the module does have a go.mod file and has a semver tag above v1 but does not conform to SIV, then the module cannot be referred to as +incompatible, the importer must fall back to the v0 pseudo version.

Correct.

As another data-point: a search for k8s.io/client-go at v12.0.0+incompatible turns up only one affected go.mod file (in github.com/kubernetes/ingress-nginx, with the replace workaround applied in kubernetes/ingress-nginx@f93bcfb), but a search for v0.0.0-20190620085101-78d2af792bab (the equivalent valid version) finds many occurrences in go.mod files throughout the ecosystem.

That suggests that (consistent with our hypothesis) most users were not affected by the buggy version served by proxy.golang.org. And that's to be expected, since Go 1.12 had to be configured explicitly in order to use proxy.golang.org.

I'm sorry that you were one of the unlucky few, but you do seem to be an outlier here.

CC @katiehockman @hyangah @heschik

I agree with Bryan on all fronts. I double-checked the logs and v12.0.0+incompatible has relatively few downloads; I don't think we made a big mistake removing it. Much better to match behavior with 1.13, where it will be the default, even if it causes some trouble for 1.12 users. Hopefully there won't be another upheaval like this in 1.14 -- I can't imagine us doing anything like this once the service is out of beta.

Sorry for the trouble, but this is why it's still in beta. We hope to fully launch very soon.

k8s.io/client-go@v12.0.0+incompatible is referred by 130 go module versions and what it means is that their builds will be broken unless they set the GOPROXY to https://gocenter.io. We will continue to serve this version. This specific version was downloaded a lot of times (in thousands) from GoCenter.
More details here - https://search.gocenter.io/k8s.io~2Fclient-go/info?version=v12.0.0%2Bincompatible

@ankushchadha, as far as I can tell, most (perhaps all?) of those 130 modules only appear to have such a dependency due to a bug in GoCenter itself, not due to anything explicitly in their go.mod files or transitive dependencies.

Arbitrarily checking the “Mod File” tab for the first eight entries listed on the “Used By” tab of https://search.gocenter.io/k8s.io~2Fclient-go/info?version=v12.0.0%2Bincompatible, I see the following note on five of them:

It seems this project has not adopted Go modules yet. Here's a suggested go.mod file for the latest version.

The other three modules I sampled from the “Used By” list show entirely different versions of k8s.io/client-go altogether!

• github.com/concourse/concourse lists k8s.io/client-go v2.0.0-alpha.0.0.20171101191150-72e1c2a1ef30+incompatible.
• github.com/pachyderm/pachyderm lists k8s.io/client-go v0.0.0-20181213230135-6924ba6dfc02.
• github.com/kubeflow/kubeflow shows a “Mod File” tab containing only a module directive and lists no dependencies whatsoever, and the underlying version as shown in GitHub does not even have a go.mod file!
  • That repository does, however, contain several nested modules that require k8s.io/client-go at various different versions, none of which are v12.0.0+incompatible.

So I'm led to believe that what you are seeing is a significant bug in GoCenter's version indexing rather than organic usage of the invalid version.

That's the current UX if the dependents have not adopted Go modules. However, there are 58 references for "k8s.io/client-go v12.0.0+incompatible" on GitHub (https://github.com/search?p=2&q=%22k8s.io%2Fclient-go+v12.0.0%2Bincompatible%22&type=Code)

I don't know how many private projects refer to this version of k8s.io/client-go.

In addition, there are 19857 modules above v1 with +incompatible suffix in GoCenter. We don't know how many of them have go.mod file but we imagine that the impact of this change is going to be huge since these modules along with dependents may not be usable anymore.

GoCenter will continue to honor the immutability and availability requirement and therefore continue to serve these module versions to achieve reproducible builds for the end-users.

Sorry if my comment is not related on this issue.

mattn/go-sqlite3#755

Last year, in go-sqlite3, topic branch v2.0.0 was created to ready to make new release. Unfortunately, v2.0.0 was not merged. mattn/go-sqlite3#611

So I removed the topic branch with git push origin :v2.0.0 but proxy.golang.org return https://proxy.golang.org/github.com/mattn/go-sqlite3/@v/list

v1.9.0
v1.3.0
v1.7.0
v1.8.0
v1.6.0
v1.0.0
v1.12.0
v1.5.0
v2.0.0+incompatible
v1.10.0
v1.11.0
v1.4.0
v1.2.0
v1.1.0

Is there any other way to solve this problem without releasing v2.0.1 of go-sqlite3 ?

Note) we did not make git tag v2.0.0

@mattn, see #34189. As of Go 1.14, if the latest compatible version has a go.mod file, the go command will prefer the compatible version over any potential +incompatible one. So it may suffice to add a go.mod file at the root of the github.com/mattn/go-sqlite3 repo.

What is the short-term solution ?
Go 1.14 is not yet released.
Is it possible to purge the proxy.golang.org cache ?

this issue broke 20+ my packages

can we please get a real/automatic fix for this ?
... super annoying to have to google for a bug and then dig through this big issue just to find out that you have to copy-paste some hack into your go.mod :(

@grosser, see kubernetes/client-go#749.

#24031 on the Go side may provide another option, in that it would allow the Kubernetes maintainers to retract all of the releases higher than v0.