buildGoModule: disable default go module proxy #71049
Conversation
Since GO 1.13, the go command caches the lookup results and tiles in $GOPATH[1], hence making the module directory non-deterministic. Use the `-f` flag when removing /sumdb, for compatibility with Go 1.12 because in that version does not exists that directory. [1] https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#command-client
| @@ -48,6 +48,13 @@ let | |||
|
|
|||
| GO111MODULE = "on"; | |||
|
|
|||
| # Disable proxying to checksum database. Since Golang 1.13, go uses | |||
| # proxy.golang.org as default GOPROXY, and it will cache the latest signed | |||
| # tree size and tree hash in $GOPATH/pkg/sumdb/<sumdb-name>/latest, hence | |||
There was a problem hiding this comment.
Have you tried simply removing the entire $GOPATH/pkg/sumdb directory instead? If we turn off GOPROXY, we might end up with a diverging result from Go 1.13 used outside of nixpkgs. Context: kubernetes/test-infra#13918
There was a problem hiding this comment.
sure, I'm going to try it; but IIUC the test-infra issue was because the jsonpatch retagged the repository
There was a problem hiding this comment.
Yes, that's correct. This will eventually happen again, but for those who are using Go 1.13 to develop their project will not notice the retag because of the proxy. If we then try to package their software, it will fail the build leading to confusion.
|
Which repo are you seeing this with? I need to go file a bug with the go
team, but I'm only aware of a problem with contest. Another example could
help figure this out :D
…On Sat, Oct 12, 2019, 15:09 Wael Nasreddine ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In pkgs/development/go-modules/generic/default.nix
<#71049 (comment)>:
> @@ -48,6 +48,13 @@ let
GO111MODULE = "on";
+ # Disable proxying to checksum database. Since Golang 1.13, go uses
+ # proxy.golang.org as default GOPROXY, and it will cache the latest signed
+ # tree size and tree hash in $GOPATH/pkg/sumdb/<sumdb-name>/latest, hence
Have you tried simply removing the entire $GOPATH/pkg/sumdb directory
instead? If we turn off caching, we might end up with a diverging result
from Go 1.13 used outside of nixpkgs. Context: kubernetes/test-infra#13918
<kubernetes/test-infra#13918>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#71049?email_source=notifications&email_token=AADWWNYGCCXOYDEW67ZXFKDQOIOHTA5CNFSM4JAD7HA2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCHYS5WY#pullrequestreview-301018843>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADWWN4RFHYUGCIUUFD3C3DQOIOHTANCNFSM4JAD7HAQ>
.
|
|
@c00w I'm getting different hashes on #71037, and #71037 tflint, for instance:
|
|
Can we try deleting pkg/mod/cache/download/sumdb during the install phase? It looks like the proof chain may be non deterministic, so deleting it may fix the output tree. |
marsam
force-pushed
the
buildGoModule-disable-goproxy
branch
from
a748903
to
69ae8a9
Compare
ofborg
bot
added
10.rebuild-darwin: 0
10.rebuild-linux: 0
and removed
10.rebuild-darwin: 101-500
10.rebuild-linux: 101-500
labels
|
@GrahamcOfBorg build jx pet gcsfuse |
|
The modSha256sum has not changed for |
|
There is perhaps a subtle bug here, since the modules are a fixed output
point, nix may reuse the cached module despite a change to how it is
generated, since the fixed output hash has not changed. If you rename the
derivation - it may show failures.
…On Tue, Oct 15, 2019, 16:37 Wael Nasreddine ***@***.***> wrote:
The modSha256sum has not changed for gcsfuse, jx or pet. Are you sure
this is needed?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#71049?email_source=notifications&email_token=AADWWN53VBELYJN23HDFEGDQOYSXZA5CNFSM4JAD7HA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBKELHQ#issuecomment-542393758>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADWWN5EH572HZAPJQM7NO3QOYSXZANCNFSM4JAD7HAQ>
.
|
@c00w is right, modSha256 changed but the old hash is available locally so it doesn't build it. If you agree with this change, I can update the hash of all the derivations affected. |
|
Deleting the sum paths sounds good to me. Thanks for cleaning this up :D
…On Tue, Oct 15, 2019, 22:33 Mario Rodas ***@***.***> wrote:
The modSha256sum has not changed for gcsfuse, jx or pet. Are you sure this
is needed?
@c00w <https://github.com/c00w> is right, modSha256 changed but the old
hash is available locally so it doesn't build it.
If you agree with this change, I can update the hash of all the
derivations affected.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#71049?email_source=notifications&email_token=AADWWN25JKJDL3KPOGXJCSTQOZ4ORA5CNFSM4JAD7HA2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEBK2H5A#issuecomment-542483444>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADWWNYQV6IWMCGI2PGPZ63QOZ4ORANCNFSM4JAD7HAQ>
.
|
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/make-buildgomodule-failsafe/4425/2 |
|
I think we should merge this as is without updating the underlying hashes. Currently if a developer is trying to update a module, without this fix they're going to have to do something relatively complicated or get frustrated and give up. Once this fix is merged we can update the go hashes in a separate PR, or allow it to naturally happen as versions + dependencies get updated. Additionally, since most hashes haven't been changed from go1.12 (when this wasn't a problem), the number of outstanding hashes should be relatively small. |
marsam
force-pushed
the
buildGoModule-disable-goproxy
branch
from
69ae8a9
to
589d4ff
Compare
|
yeah, it's blocking various PRs. I'm going ahead and merging this PR, and address the mismatching hashes in another PR. |
Since GO 1.13, the go command uses by default [1]
GOPROXY="https://proxy.golang.org,direct" as module proxy, which caches
the latest signed tree size and tree hash in $GOPATH[2], hence producing
a different hash every time proxy.golang.org/latest changes.
[1] https://golang.org/cmd/go/#hdr-Module_downloading_and_verification
[2] https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#command-client
Motivation for this change
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc: @kalbasit, @c00w, @rvolosatovs