fix the hash of gomodules.xyz/jsonpatch/v2

[kalbasit]

I'm seeing a hash mismatch for gomodules.xyz/jsonpatch/v2 on my end. Could be related to golang/go#29278, last change to that checksum was done in #12895. Looking at the WORKSPACE file at the time of the last change, the Go version was set to 1.12.6 🤔

$ go mod download
verifying gomodules.xyz/jsonpatch/v2@v2.0.0: checksum mismatch
        downloaded: h1:OyHbl+7IOECpPKfVK42oFr6N7+Y2dR+Jsb/IiDV3hOo=
        go.sum:     h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4=

Environment:

$ go version
go version go1.12.7 linux/amd64
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/yl/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/yl/code/opensource/stories/test-infra_fix-go-sum"
GOPROXY=""
GORACE=""
GOROOT="/nix/store/16qppavljzbzb8pw8bg65kr6vhrrhfdq-go-1.12.7/share/go"
GOTMPDIR=""
GOTOOLDIR="/nix/store/16qppavljzbzb8pw8bg65kr6vhrrhfdq-go-1.12.7/share/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="/nix/store/hpzj855nkgjvg58nrhq4910sb9q3kss1-gcc-wrapper-7.4.0/bin/cc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/yl/code/opensource/stories/test-infra_fix-go-sum/src/github.com/kubernetes/test-infra/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build334463718=/tmp/go-build -gno-record-gcc-switches"

[k8s-ci-robot]

Welcome @kalbasit!

It looks like this is your first PR to kubernetes/test-infra 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/test-infra has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @kalbasit. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[clarketm]

/ok-to-test

[kalbasit]

CI/Bazel disagree with my findings 🤔

 verifying gomodules.xyz/jsonpatch/v2@v2.0.0: checksum mismatch
	downloaded: h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4=
	go.sum:     h1:OyHbl+7IOECpPKfVK42oFr6N7+Y2dR+Jsb/IiDV3hOo= 

I'll double-check locally through Bazel.

EDIT: I can replicate the CI test result locally with Bazel. It seems that the result is inconsistent between Go directly and Go through Bazel.

Output of local bazel test //hack:verify-deps

 λ docker run --rm -it -v "$PWD":/usr/src/app -v /yl/storage/tmp/cache:/root/.cache kernald/bazel:0.27.0 bazel test //hack:verify-deps
Starting local Bazel server and connecting to it...
DEBUG: /root/.cache/bazel/_bazel_root/a14564dce24fc232216f1aef117728d1/external/bazel_toolchains/rules/rbe_repo/checked_in.bzl:256:5: rbe_default is using checked-in configs 'struct(config_repos = [], create_cc_configs = True, create_java_configs = True, env = {"ABI_LIBC_VERSION": "glibc_2.19", "ABI_VERSION": "clang", "BAZEL_COMPILER": "clang", "BAZEL_HOST_SYSTEM": "i686-unknown-linux-gnu", "BAZEL_TARGET_CPU": "k8", "BAZEL_TARGET_LIBC": "glibc_2.19", "BAZEL_TARGET_SYSTEM": "x86_64-unknown-linux-gnu", "CC": "clang", "CC_TOOLCHAIN_NAME": "linux_gnu_x86"}, java_home = "/usr/lib/jvm/java-8-openjdk-amd64", name = "9.0.0")'
INFO: Analyzed target //hack:verify-deps (1052 packages loaded, 18516 targets configured).
INFO: Found 1 test target...
INFO: Deleting stale sandbox base /root/.cache/bazel/_bazel_root/a14564dce24fc232216f1aef117728d1/sandbox
FAIL: //hack:verify-deps (see /root/.cache/bazel/_bazel_root/a14564dce24fc232216f1aef117728d1/execroot/io_k8s_test_infra/bazel-out/k8-fastbuild/testlogs/hack/verify-deps/test.log)
INFO: From Testing //hack:verify-deps:
==================== Test output for //hack:verify-deps:
Checking modules for changes...
Updating modules...

[ ... snip ... ]

verifying gomodules.xyz/jsonpatch/v2@v2.0.0: checksum mismatch
        downloaded: h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4=
        go.sum:     h1:OyHbl+7IOECpPKfVK42oFr6N7+Y2dR+Jsb/IiDV3hOo=
FAILED
================================================================================
Target //hack:verify-deps up-to-date:
  bazel-bin/hack/verify-deps
INFO: Elapsed time: 235.708s, Critical Path: 184.13s
INFO: 3 processes: 3 processwrapper-sandbox.
INFO: Build completed, 1 test FAILED, 5 total actions
//hack:verify-deps                                                       FAILED in 108.8s
  /root/.cache/bazel/_bazel_root/a14564dce24fc232216f1aef117728d1/execroot/io_k8s_test_infra/bazel-out/k8-fastbuild/testlogs/hack/verify-deps/test.log

INFO: Build completed, 1 test FAILED, 5 total actions

Digging a little deeper, I thought that it could be a problem in my environment. Specifically the Go version coming from nixpkgs could be problematic. However, it seems that the offical Go image agrees with the Nix version over Bazel.

Output of the docker build with my patch

 λ docker run --rm -it -v "$PWD":/go -e GO111MODULES=on -e GOPATH=/root golang:1.12.7 go mod tidy
# returns nothing, exist status 0

Output of the docker build without my patch (test-infra at b164399)

 λ docker run --rm -it -v "$PWD":/go -e GO111MODULES=on -e GOPATH=/root golang:1.12.7 go mod tidy
verifying gomodules.xyz/jsonpatch/v2@v2.0.0: checksum mismatch
        downloaded: h1:OyHbl+7IOECpPKfVK42oFr6N7+Y2dR+Jsb/IiDV3hOo=
        go.sum:     h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4=

[kalbasit]

/cc @jayconrod

[k8s-ci-robot]

@kalbasit: GitHub didn't allow me to request PR reviews from the following users: jayconrod.

Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @jayconrod

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[clarketm]

/cc @fejta
Any idea why go and bazel are in disagreement?

[jayconrod]

The correct hash is h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4= for gomodules.xyz/jsonpatch/v2@v2.0.0. Verified by running go get -d gomodules.xyz/jsonpatch/v2@v2.0.0 with an empty mod cache and sumdb enabled with go1.13beta1.

@kalbasit If you're seeing go mod download -json give something else, data in your module cache may be incorrect. Try with an empty module cache (GOPATH=$(mktemp -d) or go clean -modcache). I'm guessing Bazel and Go are in disagreement because, by default, go_repository uses its own module cache instead of the host's module cache, so if one were corrupted, the other might not be. go_repository uses go mod download to fetch modules, so there shouldn't be differences there.

A number of things can cause module cache corruption: the upstream tag could have changed (and changed back?), data could be corrupted in memory or on disk, and of course bugs. If you're able to reproduce this with an empty module cache, please file an issue in golang/go and cc me.

[jayconrod]

Easier way to verify a specific sum: https://sum.golang.org/lookup/gomodules.xyz/jsonpatch/v2@v2.0.0

The Go command hits that endpoint when it starts to verify a new module. It downloads other parts of a Merkle tree to ensure the hashes haven't been tampered with, but that's the start of it. More details in the sumdb proposal.

[spiffxp]

/uncc

[fejta]

Different golang versions sometimes produce different hashes

[kalbasit]

@jayconrod I can replicate using the official Go docker image version 1.12.7 with no cache.

$ git clone git@github.com:kubernetes/test-infra.git
$ cd test-infra
$ docker run --rm -it -v "$PWD":/go -e GO111MODULES=on -e GOPATH=/root golang:1.12.7 go mod download
verifying gomodules.xyz/jsonpatch/v2@v2.0.0: checksum mismatch
	downloaded: h1:OyHbl+7IOECpPKfVK42oFr6N7+Y2dR+Jsb/IiDV3hOo=
	go.sum:     h1:lHNQverf0+Gm1TbSbVIDWVXOhZ2FpZopxRqpr2uIjs4=

Can you replicate that?

[kalbasit]

I cannot replicate with version 1.13beta1

docker run --rm -it -v "$PWD":/go -e GO111MODULES=on -e GOPATH=/root golang:1.13beta1 go mod download

You're right @fejta

However! Bazel is using version 1.12.7, and it's computing the hash as seen by 1.13, how come?

[jayconrod]

Different golang versions sometimes produce different hashes

@fejta This isn't true in general. Between 1.11.3 and 1.11.4, we shipped a "fix" to the way module zip files were prepared that affected the hashes. This was a mistake: one we will be very careful not to repeat. The algorithm for preparing and hashing module zip files is now basically set in stone. sum.golang.org serves signed hashes that aren't specific to any version of Go.

I can replicate using the official Go docker image version 1.12.7 with no cache.

@kalbasit I was able to reproduce this using the command you pasted. I was also able to reproduce this in go1.13beta1 with GOPROXY=direct GOSUMDB=off. I think that explains the difference in version. By default, go1.13 retrieves module zip files from proxy.golang.org instead of cloning the repository locally.

Looking at the differences between the zip files, I think the author of this module changed the commit that v2.0.0 points to. The proxy cached the module at an earlier version of that tag. go1.12.7 (or 1.13 in direct mode) sees the current version. Here's the diff:

diff -urN proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/.gitignore direct/gomodules.xyz/jsonpatch/v2@v2.0.0/.gitignore
--- proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/.gitignore	1979-12-31 00:00:00.000000000 -0500
+++ direct/gomodules.xyz/jsonpatch/v2@v2.0.0/.gitignore	1969-12-31 19:00:00.000000000 -0500
@@ -1,27 +0,0 @@
-# Compiled Object files, Static and Dynamic libs (Shared Objects)
-*.o
-*.a
-*.so
-
-# Folders
-_obj
-_test
-
-# Architecture specific extensions/prefixes
-*.[568vq]
-[568vq].out
-
-*.cgo1.go
-*.cgo2.c
-_cgo_defun.c
-_cgo_gotypes.go
-_cgo_export.*
-
-_testmain.go
-
-*.exe
-*.test
-*.prof
-
-/.idea
-/vendor
diff -urN proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/.travis.yml direct/gomodules.xyz/jsonpatch/v2@v2.0.0/.travis.yml
--- proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/.travis.yml	1979-12-31 00:00:00.000000000 -0500
+++ direct/gomodules.xyz/jsonpatch/v2@v2.0.0/.travis.yml	1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-language: go
-go:
- - 1.x
- - tip
-
-go_import_path: gomodules.xyz/jsonpatch
-
-cache:
-  directories:
-  - $HOME/.cache/go-build
-  - $GOPATH/pkg/mod
-
-env:
-  - GO111MODULE=on
-
-script:
- - go test -v
diff -urN proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/CHANGELOG.md direct/gomodules.xyz/jsonpatch/v2@v2.0.0/CHANGELOG.md
--- proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/CHANGELOG.md	1979-12-31 00:00:00.000000000 -0500
+++ direct/gomodules.xyz/jsonpatch/v2@v2.0.0/CHANGELOG.md	1969-12-31 19:00:00.000000000 -0500
@@ -1,37 +0,0 @@
-# Change Log
-
-## [v2.0.0](https://github.com/gomodules/jsonpatch/tree/v2.0.0) (2019-06-25)
-[Full Changelog](https://github.com/gomodules/jsonpatch/compare/1.0.0...v2.0.0)
-
-**Merged pull requests:**
-
-- Update go.mod and remove vendor folder [\#18](https://github.com/gomodules/jsonpatch/pull/18) ([tamalsaha](https://github.com/tamalsaha))
-- Change package path to gomodules.xyz/jsonpath [\#17](https://github.com/gomodules/jsonpatch/pull/17) ([tamalsaha](https://github.com/tamalsaha))
-- \[Emergency\] correct array index in backtrace [\#16](https://github.com/gomodules/jsonpatch/pull/16) ([kdada](https://github.com/kdada))
-- Added support for arrays at the root [\#15](https://github.com/gomodules/jsonpatch/pull/15) ([e-nikolov](https://github.com/e-nikolov))
-- Fix the example code in readme [\#14](https://github.com/gomodules/jsonpatch/pull/14) ([pytimer](https://github.com/pytimer))
-
-## [1.0.0](https://github.com/gomodules/jsonpatch/tree/1.0.0) (2019-01-08)
-**Fixed bugs:**
-
-- Correctly generate patch for nested object [\#8](https://github.com/gomodules/jsonpatch/issues/8)
-
-**Closed issues:**
-
-- Do releases and in SemVer [\#12](https://github.com/gomodules/jsonpatch/issues/12)
-- Generated patch incorrect for Array replacement [\#1](https://github.com/gomodules/jsonpatch/issues/1)
-
-**Merged pull requests:**
-
-- Add JsonPatchOperation as type alias for Operation [\#13](https://github.com/gomodules/jsonpatch/pull/13) ([tamalsaha](https://github.com/tamalsaha))
-- Migrate to go mod [\#10](https://github.com/gomodules/jsonpatch/pull/10) ([tamalsaha](https://github.com/tamalsaha))
-- Add test for nested object [\#9](https://github.com/gomodules/jsonpatch/pull/9) ([tamalsaha](https://github.com/tamalsaha))
-- Add test for edit distance computation [\#7](https://github.com/gomodules/jsonpatch/pull/7) ([tamalsaha](https://github.com/tamalsaha))
-- Append edit distance operations from end to start [\#6](https://github.com/gomodules/jsonpatch/pull/6) ([tamalsaha](https://github.com/tamalsaha))
-- Add travis file [\#4](https://github.com/gomodules/jsonpatch/pull/4) ([tamalsaha](https://github.com/tamalsaha))
-- Run go fmt [\#3](https://github.com/gomodules/jsonpatch/pull/3) ([tamalsaha](https://github.com/tamalsaha))
-- Fix array comparison [\#2](https://github.com/gomodules/jsonpatch/pull/2) ([tamalsaha](https://github.com/tamalsaha))
-
-
-
-\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
\ No newline at end of file
diff -urN proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/README.md direct/gomodules.xyz/jsonpatch/v2@v2.0.0/README.md
--- proxy/gomodules.xyz/jsonpatch/v2@v2.0.0/README.md	1979-12-31 00:00:00.000000000 -0500
+++ direct/gomodules.xyz/jsonpatch/v2@v2.0.0/README.md	1969-12-31 19:00:00.000000000 -0500
@@ -1,52 +0,0 @@
-# jsonpatch
-
-[![Build Status](https://travis-ci.org/gomodules/jsonpatch.svg?branch=master)](https://travis-ci.org/gomodules/jsonpatch)
-[![Go Report Card](https://goreportcard.com/badge/gomodules.xyz/jsonpatch "Go Report Card")](https://goreportcard.com/report/gomodules.xyz/jsonpatch)
-[![GoDoc](https://godoc.org/gomodules.xyz/jsonpatch?status.svg "GoDoc")](https://godoc.org/gomodules.xyz/jsonpatch)
-
-As per http://jsonpatch.com JSON Patch is specified in RFC 6902 from the IETF.
-
-JSON Patch allows you to generate JSON that describes changes you want to make to a document, so you don't have to send the whole doc. JSON Patch format is supported by HTTP PATCH method, allowing for standards based partial updates via REST APIs.
-
-```console
-go get gomodules.xyz/jsonpatch/v2
-```
-
-I tried some of the other "jsonpatch" go implementations, but none of them could diff two json documents and generate format like jsonpatch.com specifies. Here's an example of the patch format:
-
-```json
-[
-  { "op": "replace", "path": "/baz", "value": "boo" },
-  { "op": "add", "path": "/hello", "value": ["world"] },
-  { "op": "remove", "path": "/foo"}
-]
-
-```
-The API is super simple
-
-## example
-
-```go
-package main
-
-import (
-	"fmt"
-	"gomodules.xyz/jsonpatch/v2"
-)
-
-var simpleA = `{"a":100, "b":200, "c":"hello"}`
-var simpleB = `{"a":100, "b":200, "c":"goodbye"}`
-
-func main() {
-	patch, e := jsonpatch.CreatePatch([]byte(simpleA), []byte(simpleB))
-	if e != nil {
-		fmt.Printf("Error creating JSON patch:%v", e)
-		return
-	}
-	for _, operation := range patch {
-		fmt.Printf("%s\n", operation.Json())
-	}
-}
-```
-
-This code needs more tests, as it's a highly recursive, type-fiddly monster. It's not a lot of code, but it has to deal with a lot of complexity.

However! Bazel is using version 1.12.7, and it's computing the hash as seen by 1.13, how come?

Not sure about that. In module mode, go_repository uses go mod download internally, so it should get the same result. However, it has its own cache, so the original v2.0.0 might be cached. It also respects GOPROXY, so if you were using a proxy at any point earlier, it would download the file there instead of cloning the repo.

[kalbasit]

@jayconrod what do you suggest we do here then? I applied this patch downstream to get it packaged, but I don't want to keep having to maintain that patch.

[fejta]

How do we clean the go_repository module cache (on RBE)?

go clean -modcache appears to make my workstation happy, not sure if we can get CI presubmits to pass...

[jayconrod]

It looks like this was reported to the module author (gomodules/jsonpatch#21) two weeks ago, but there's been no response. 😞

There are a number of ways to workaround this.

To keep Go and Bazel in sync, Instead of depending on v2.0.0, you could use the commit right behind that, v2.0.0-20190626003512-87910169748d. It looks like the only difference is in the text of the changelog, so there should be no change in functionality.

go get -d gomodules.xyz/jsonpatch/v2@87910169748dec27c7d744e9db6936e310813b37
bazel run //:gazelle -- update-repos -from_file=go.mod

A Bazel-only workaround would be to change the go_repository rule to operate in VCS mode instead of module mode.

# keep
go_repository(
    name = "xyz_gomodules_jsonpatch_v2",
    importpath = "gomodules.xyz/jsonpatch/v2",
    commit = "e8422f09d27ee2c8cfb2c7f8089eb9eeb0764849", # v2.0.0 as of 2019-08-19
)

[sbueringer]

Looks like I inherited that problem because I'm depending on controller-runtime. So the fix for me was to add the following to the go.mod file (I guess until it's adjusted in controller-runtime):

replace (
	gomodules.xyz/jsonpatch/v2 => gomodules.xyz/jsonpatch/v2 v2.0.0-20190626003512-87910169748d
)

[DirectXMan12]

@tamalsaha FYI

[tamalsaha]

Hi, I had reapplied the tag when we were dealing with gomodules/jsonpatch#20 issue. The tag has not changed since then. It seems that Go is retroactively applying tag verification.

Any thoughts how to fix this?

[fejta]

@tamalsaha golang considers versions immutable. Once you published v2.0.0, patching this release requires incrementing the version to v2.0.1 (or later). Golang does not support replacing a published version.

Can you address gomodules/jsonpatch#21 and release v2.0.1 at the current commit? Also consider resetting v2.0.0 to the initial commit if you can do so.

Since proxy.golang.org considers the initial version of v2.0.0 the canonical one, this is what golang 1.13 will distribute to everyone. It is also what people using earlier versions of golang will receive if they export GOPROXY=proxy.golang.org.

[tamalsaha]

So, what do I do? Just apply the v2.0.1 tag to old release and push to git repo?

Also, I don't understand why GO is capturing tags and complaining when Go modules are not on by default. I thought this was the time we experiment and learn this.

[tamalsaha]

Also, should the tag be v2.0.1 or v2/v2.0.1, since the module file is inside v2 folder?

[fejta]

Just apply the v2.0.1 tag to old release and push to git repo?

Yep, I think that will work nicely! And thanks for following up!

GO is capturing tags and complaining when Go modules are not on by default

In 1.13 -- when modules are enabled -- golang will default to using a GOPROXY instead of downloading directly. This is important for things like CI since proxy.golang.org can handle a lot of concurrent requests without slowing down. It also makes sure a popular package doesn't DOS the tiny developer who publishes it. So people using modules tend to turn it on.

For example in our repo our scripts to upgrade dependencies explicitly turn on modules and proxies:

test-infra/hack/update-deps.sh

Line 76 in 71dd306

export GO111MODULE=on

test-infra/hack/update-deps.sh

Lines 96 to 97 in 71dd306

	export GOPROXY=https://proxy.golang.org
	export GOSUMDB=sum.golang.org

[fejta]

@kalbasit, can you try refactoring this PR to upgrade the jsonpatch module to v2.0.1?

[kalbasit]

@kalbasit, can you try refactoring this PR to upgrade the jsonpatch module to v2.0.1?

Sure.

[kalbasit]

@fejta it's done.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 6b5f383eb9ba1360736ea1e2b08543fae62b4e6c

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fejta, kalbasit

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [fejta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment