proxy.golang.org returning 410 for k8s.io/[email protected]+incompatible #33558
Comments
|
You have likely already seen this, but some chance related to #33513 (comment) |
|
Note the error text returned by that URL: See https://tip.golang.org/doc/go1.13#version-validation for more detail and advice on fixes and workarounds. |
|
See also #32695. |
|
Duplicate of #32805 |
|
FWIW, a bit more detail. The v12.0.0 https://github.com/kubernetes/client-go/blob/v12.0.0/go.mod#L3 From the
|
|
Some additional context is that proxy.golang.org was recently updated to use 1.13beta1, which included "invalidating some old module versions that are currently being served from proxy.golang.org but are no longer valid in 1.13". Some more details from the one of the announcements on golang-dev:
|
|
@bcmills i'm sorry to reopen this but this has broken our Go 1.12 builds, we're not in a position to upgrade to 1.13beta1. We need a solution that restores functionality for Go 1.12. |
|
@davecheney, a |
bcmills
added
modules
WaitingForInfo
|
Two other potential options when using the Go 1.12
|
|
@bcmills this worked last week. Our builds built last week using Go 1.12. They worked on Monday. Something has broken in proxy.golang.org that means it no longer works as it did just a few days ago. It's unreasonable to ask users to change their go.mod configuration because proxy.golang.org can no longer serve valid artefacts that it served a few days ago. |
|
Further,
Clearly this is not true, v12 of client-go is a very popular dependency and now it is inaccessible for Go 1.12 users using proxy.golang.org. |
|
One other possible solution is I think 1.12 can be forced to use a pseudo-version with a commit hash corresponding to the v12.0.0 tag of k8s.io/client-go. In particular, this works:
with this result recorded in 78d2af792bab is the commit hash for v12.0.0 of client-go. An alternative path to a similar result: which then results in a |
The The fact that |
|
See also kubernetes/client-go#631. |
It may be a bug, but the bug exists in Go 1.12, the version that produced that line. Saying it's a bug is fine, but breaking projects that were happily working up to a few days ago is pretty unfriendly behaviour. |
|
@bcmills given that go.mod files with lines ending in |
|
The bug in Go 1.12 required manual exploitation by users (adding an explicit The only users who would have picked it up without manual intervention would have picked it up from a cache or proxy entry introduced by some other module that manually exploited the bug. Moreover, there is a simple workaround available: |
|
Adding the same validation to the proxy path is #32955, but that's a harder problem in general because the protocol erases version control history. (It's possible to do for invalid |
|
Thanks for clarifying. If |
|
Those really are rare: we ran several analyses to verify that (see #27173 (comment), and the folks running |
|
I don't think they are as rare as you believe. Here are two that I found in the https://github.com/kubernetes/client-go/blob/master/go.mod#L8 https://github.com/kubernetes/client-go/blob/master/go.mod#L21 |
|
@davecheney, please read my replies above more carefully:
The two versions you note in your comment above both lack explicit |
|
One quick comment: Any module can import a v2+ package that has not opted into modules, and if the imported v2+ package has a valid semver tag, the imported package will be recorded with an +incompatible suffix in the importing module's go.mod file. That is fine and expected behavior, and an important transitional mechanism that helps modules consume non-module v2+ packages. Using your first example: That is fine, because github.com/Azure/[email protected] itself does not have a The main problem being discussed in this thread is when a v2+ package attempts to adopt modules, but does not follow the requirement listed in the doc quote in In particular:
That |
|
ahh, ok. Thanks for explaining. So the rules for
|
|
Correct. |
|
As another data-point: a search for That suggests that (consistent with our hypothesis) most users were not affected by the buggy version served by I'm sorry that you were one of the unlucky few, but you do seem to be an outlier here. |
bcmills
removed
the
WaitingForInfo
bcmills
added
the
NeedsInvestigation
|
CC @katiehockman @hyangah @heschik |
|
I agree with Bryan on all fronts. I double-checked the logs and v12.0.0+incompatible has relatively few downloads; I don't think we made a big mistake removing it. Much better to match behavior with 1.13, where it will be the default, even if it causes some trouble for 1.12 users. Hopefully there won't be another upheaval like this in 1.14 -- I can't imagine us doing anything like this once the service is out of beta. Sorry for the trouble, but this is why it's still in beta. We hope to fully launch very soon. |
|
k8s.io/[email protected]+incompatible is referred by 130 go module versions and what it means is that their builds will be broken unless they set the GOPROXY to https://gocenter.io. We will continue to serve this version. This specific version was downloaded a lot of times (in thousands) from GoCenter. |
|
@ankushchadha, as far as I can tell, most (perhaps all?) of those 130 modules only appear to have such a dependency due to a bug in GoCenter itself, not due to anything explicitly in their Arbitrarily checking the “Mod File” tab for the first eight entries listed on the “Used By” tab of https://search.gocenter.io/k8s.io~2Fclient-go/info?version=v12.0.0%2Bincompatible, I see the following note on five of them:
The other three modules I sampled from the “Used By” list show entirely different versions of
So I'm led to believe that what you are seeing is a significant bug in GoCenter's version indexing rather than organic usage of the invalid version. |
|
That's the current UX if the dependents have not adopted Go modules. However, there are 58 references for "k8s.io/client-go v12.0.0+incompatible" on GitHub (https://github.com/search?p=2&q=%22k8s.io%2Fclient-go+v12.0.0%2Bincompatible%22&type=Code) I don't know how many private projects refer to this version of k8s.io/client-go. In addition, there are 19857 modules above v1 with +incompatible suffix in GoCenter. We don't know how many of them have go.mod file but we imagine that the impact of this change is going to be huge since these modules along with dependents may not be usable anymore. GoCenter will continue to honor the immutability and availability requirement and therefore continue to serve these module versions to achieve reproducible builds for the end-users. |
The k8s.io/client-go v12 go.mod file has an error. See golang/go#33558 Signed-off-by: Bryan Boreham <[email protected]>
Upgrade client-go 11.0.0→11.0.0+patches, consul 1.4.4→1.5.0 A while back, I tried upgrading client-go to v12 (kube 1.15) in teleproxy.git, mostly just as an exercise to see how difficult it would be, not because I actually wanted to switch to v12. I failed to do it, and ended up in dependency hell. I came to the conclusion that trying to manage client-go's dependencies *and* your own dependencies at the same time was a nightmare, and that it would be a good idea to have a separate library just to isolate the dependencies of client-go. I made that library! https://github.com/datawire/libk8s. Currently, it does nothing but anonymous-import every part of client-go, and properly declare all of the versions of dependencies. > Spoilers: There are probably 2 more reasons that extra-contributed > to my trouble: > - client-go v12 claims to be a valid Go module, but isn't. The fact > that the Go 1.12 compiler accepts it is a bug in the compiler (the > Go 1.13 compiler does not) > <golang/go#33558 (comment)>. > I was using Go 1.12.7, but I figure this didn't help > - It got really confused about consul. If you try to resolve a > package in `github.com/hashicorp/consul/api/...`, it discovers > "yeah, there's a `github.com/hashicorp/consul/api` module (that is > a sub-module of `github.com/hashicorp/consul`)!" But it didn't > become a sub-module until consul v1.5.0; we're using v1.4.4, in > which it wasn't split off yet. The whole thing confuses `go mod > tidy`. Also, we'd been using the `v11.0.0` tag of `client-go`. Did you know that there's a `release-11.0` branch that gets bug-fixes and security fixes!? OK, so this PR is about equal parts of several things: - Try out using https://github.com/datawire/libk8s to manage the dependency on client-go. - Try out upgrading client-go (still v11, but with a few commits from the `release-11.0` branch) - Figure out why the hell `go mod tidy` was breaking the build (answer: consul) - I tried upgrading the version of the teleproxy library that APro uses, and got some weird error. Hopefully this fixes it.
…v1.15.4 of k8s api/apimachinery in sync with other voltha components Had to use pseudo-version corresponding to v12.0.0 of k8s client-go because golang proxy is no longer serving the modules not complying to Semantic Import Versioning rules including client-go v12.0.0. Refer to kubernetes/client-go#631 and golang/go#33558 Change-Id: I2e558bab7f0702f230761319eb5392a7d0532ea3
|
Sorry if my comment is not related on this issue. Last year, in go-sqlite3, topic branch v2.0.0 was created to ready to make new release. Unfortunately, v2.0.0 was not merged. mattn/go-sqlite3#611 So I removed the topic branch with Is there any other way to solve this problem without releasing v2.0.1 of go-sqlite3 ? Note) we did not make git tag v2.0.0 |
|
What is the short-term solution ? |
|
this issue broke 20+ my packages |
|
can we please get a real/automatic fix for this ? |
|
@grosser, see kubernetes/client-go#749. #24031 on the Go side may provide another option, in that it would allow the Kubernetes maintainers to retract all of the releases higher than |
proxy.golang.org has stoped returning the correct result for k8s.io/client-go v 12.0.0
Note: the
env GOPATH...is to avoid having to sudo rm -rf my $HOME/pkg/mod directory.This was working on Friday and has broken our CI.
The text was updated successfully, but these errors were encountered: