Re: [go-nuts] go mod verify fails for github.com/docker/docker and github.com/hashicorp/go-rootcerts

[andrey mirtchovski]

There was a change to how go mod treats softlinks in repositories
which changed the hash generated for some packages (we found out the
issue via git.apache.org/thrift.git). If the repo contains softlinks
and you generated your go.mod file before Go 1.11.3 (Go 1.11.2 still
exhibited the bug) then the hashes will have changed.

Not sure if that's the problem you're experiencing, but another way to
verify is to go back to your older Go version and see if go mod verify
passes there (after cleaning all caches).

On Mon, Feb 18, 2019 at 7:52 AM Joseph Lorenzini  wrote:
>
> Hi all,
>
> I've been using go modules since 1.10. I am now on 1.11.5. Go mod verify is 
> now failing since I went to go 1.11. Negative is old, plus is new.
>
> -github.com/docker/docker v0.7.3-0.20180827131323-0c5f8d2b9b23 
> h1:Zl/9mUfPbYbnv895OXx9WfxPjwqSZHohuZzVcjJ5QPQ=
> +github.com/docker/docker v0.7.3-0.20180827131323-0c5f8d2b9b23 
> h1:mJtkfC9RUrUWHMk0cFDNhVoc9U3k2FRAzEZ+5pqSIHo=
> -github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 
> h1:9HVkPxOpo+yO93Ah4yrO67d/qh0fbLLWbKqhYjyHq9A=
> +github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 
> h1:VBj0QYQ0u2MCJzBfeYXGexnAl17GsH1yidnoxCqqD9E=
>
> I can "fix" this by simply removing the offending entries and allowing go mod 
> tidy to repopulate them. However, that defeats the purpose of the go.sum, 
> which is to say if a go mod verify has failed, then this should mean that the 
> source code I thought I had no longer exists.  What I am trying to figure out 
> is if the way go calculates the hashes has changed and there was or is a bug 
> in that or the source code for these two packages at the given git commit ID 
> no longer matches the source code checked out on disk. The later is more 
> concerning to me.
>
> Thanks,
> Joe
>
> --
> You received this message because you are subscribed to the Google Groups 
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to golang-nuts+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] go mod verify fails for github.com/docker/docker and github.com/hashicorp/go-rootcerts

[Joseph Lorenzini]

Hi all,

I've been using go modules since 1.10. I am now on 1.11.5. Go mod verify is 
now failing since I went to go 1.11. Negative is old, plus is new.

-github.com/docker/docker v0.7.3-0.20180827131323-0c5f8d2b9b23 
h1:Zl/9mUfPbYbnv895OXx9WfxPjwqSZHohuZzVcjJ5QPQ=
+github.com/docker/docker v0.7.3-0.20180827131323-0c5f8d2b9b23 
h1:mJtkfC9RUrUWHMk0cFDNhVoc9U3k2FRAzEZ+5pqSIHo=
-github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 
h1:9HVkPxOpo+yO93Ah4yrO67d/qh0fbLLWbKqhYjyHq9A=
+github.com/hashicorp/go-rootcerts v0.0.0-20160503143440-6bb64b370b90 
h1:VBj0QYQ0u2MCJzBfeYXGexnAl17GsH1yidnoxCqqD9E=

I can "fix" this by simply removing the offending entries and allowing go 
mod tidy to repopulate them. However, that defeats the purpose of the 
go.sum, which is to say if a go mod verify has failed, then this should 
mean that the source code I thought I had no longer exists.  What I am 
trying to figure out is if the way go calculates the hashes has changed and 
there was or is a bug in that *or *the source code for these two packages 
at the given git commit ID no longer matches the source code checked out on 
disk. The later is more concerning to me.

Thanks,
Joe 

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.