Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"go mod vendor" picks wrong commit for a tagged version #43034

Closed
coypoop opened this issue Dec 6, 2020 · 2 comments
Closed

"go mod vendor" picks wrong commit for a tagged version #43034

coypoop opened this issue Dec 6, 2020 · 2 comments
Labels
FrozenDueToAge

Comments

@coypoop
Copy link
Contributor

coypoop commented Dec 6, 2020
edited

Apologies if it is a duplicate report.

What version of Go are you using (go version)?

$ go version
go version go1.15.5 netbsd/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

NetBSD amd64

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fly/.cache/go-build"
GOENV="/home/fly/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="netbsd"
GOINSECURE=""
GOMODCACHE="/home/fly/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="netbsd"
GOPATH="/home/fly/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/pkg/go115"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/pkg/go115/pkg/tool/netbsd_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build989125027=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Reproducer script:

#!/bin/sh
cat << EOF > main.go
package reporters

import (
	"github.com/onsi/ginkgo"

	ginkgo_reporters "kubevirt.io/qe-tools/pkg/ginkgo-reporters"
)

// NewReporters is a function to gather new ginkgo test reporters
func NewReporters() []ginkgo.Reporter {
	reporters := make([]ginkgo.Reporter, 0)
	if ginkgo_reporters.Polarion.Run {
		reporters = append(reporters, &ginkgo_reporters.Polarion)
	}
	if ginkgo_reporters.JunitOutput != "" {
		reporters = append(reporters, ginkgo_reporters.NewJunitReporter())
	}
	return reporters
}
EOF

cat << EOF > go.mod
module example.com/m

require (
	kubevirt.io/qe-tools v0.1.3
	github.com/onsi/ginkgo v1.12.1
)
EOF

go mod vendor

git clone https://github.com/kubevirt/qe-tools
sh -c "cd qe-tools && git checkout v0.1.3"

diff -ru qe-tools/ vendor/kubevirt.io/qe-tools/

What did you expect to see?

I expect to see no/little output from the diff -ru qe-tools vendor/kubevirt.io/qe-tools/ at the end of running this script, as there should be no difference between Go's vendored v0.1.3 and the "git checkout v0.1.3" directory.

What did you see instead?

Long diff, the wrong commit (two commits early) was picked.
@seankhliao
Copy link
Member

(most likely) kubevirt.io/qe-tools moved their tag

if you try with GOPROXY=direct and a clean modcache

example.com/m imports
	kubevirt.io/qe-tools/pkg/ginkgo-reporters: kubevirt.io/qe-tools@v0.1.3: verifying module: checksum mismatch
	downloaded: h1:TUQdOK40a5/wLwYQwiy56WBaS+OYcGxAEHe9rhEPZZM=
	sum.golang.org: h1:ZDDolkD2IsHuPW8PNyty5fWO6wpI2BXcQpC65en/9FU=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

@coypoop
Copy link
Contributor Author

coypoop commented Dec 6, 2020

I see, thanks.

@coypoop coypoop closed this as completed Dec 6, 2020
@golang golang locked and limited conversation to collaborators Dec 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @seankhliao @coypoop