tag v1.10.0 go mod tidy fail. go sum report mismatch

[xiaoyang-chen]

What happened and what you expected to happen:

How to reproduce it (as minimally and precisely as possible):
git clone this repo, and branch switch to tag v1.10.0, then run go mod tidy
Anything else we need to know?:

Environment:

• Kubernetes version (use kubectl version):
• KubeEdge version(e.g. cloudcore --version and edgecore --version):

[gy95]

i tried on my local machine, and did't encounter this error. which golang version are you using? :)

[xiaoyang-chen]

i tried on my local machine, and did't encounter this error. which golang version are you using? :)

go version 1.18. @gy95

[gy95]

I use go 1.16, but when i use go1.18, it worked well :)
docker run --rm -v /root/go/src/github.com/kubeedge/kubeedge/:/work -w /work golang:1.18 go mod tidy

and why do you run go mod tidy command? i recommend just running make verify-vendor command in the project root repo dir, kubeedge has provided the verification cmd and script https://github.com/kubeedge/kubeedge/blob/master/hack/verify-vendor.sh

[xiaoyang-chen]

I use go 1.16, but when i use go1.18, it worked well :) docker run --rm -v /root/go/src/github.com/kubeedge/kubeedge/:/work -w /work golang:1.18 go mod tidy

and why do you run go mod tidy command? i recommend just running make verify-vendor command in the project root repo dir, kubeedge has provided the verification cmd and script https://github.com/kubeedge/kubeedge/blob/master/hack/verify-vendor.sh

I want to develop base on tag v1.10.0 and will write code into some go file, maybe will import new package, so need go mod tidy

[gy95]

oh, if so, it's better to just run make verify command directly, and there're some verification scripts. you can take a look at these scripts.

[xiaoyang-chen]

oh, if so, it's better to just run make verify command directly, and there're some verification scripts. you can take a look at these scripts.

make verify report this error

root@ubuntu:/home/wjd/Desktop/kubeedge# make verify
hack/verify-golang.sh
go detail version: go version go1.18 linux/amd64
go version: 1.18
hack/verify-vendor.sh
/home/wjd/Desktop/kubeedge/staging/src/github.com/kubeedge/beehive /home/wjd/Desktop/kubeedge
running 'go mod tidy' for beehive
go: downloading github.com/google/uuid v1.1.2
go: downloading gopkg.in/yaml.v2 v2.2.8
go: downloading gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
running 'go mod vendor' for beehive
/home/wjd/Desktop/kubeedge
/home/wjd/Desktop/kubeedge/staging/src/github.com/kubeedge/viaduct /home/wjd/Desktop/kubeedge
running 'go mod tidy' for viaduct
go: downloading github.com/golang/mock v1.4.4
go: downloading github.com/bifurcation/mint v0.0.0-20180715133206-93c51c6ce115
go: downloading github.com/cheekybits/genny v0.0.0-20170328200008-9127e812e1e9
go: downloading github.com/onsi/ginkgo v1.11.0
go: downloading github.com/onsi/gomega v1.8.1
go: downloading google.golang.org/protobuf v1.23.0
go: downloading github.com/google/go-cmp v0.4.0
go: downloading golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
go: downloading github.com/lucas-clemente/aes12 v0.0.0-20171027163421-cd47fb39b79f
go: downloading github.com/hashicorp/golang-lru v0.0.0-20180201235237-0fb14efe8c47
go: downloading github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cced
go: downloading github.com/hpcloud/tail v1.0.0
go: downloading golang.org/x/sys v0.0.0-20190322080309-f49334f85ddc
go: downloading golang.org/x/net v0.0.0-20190311183353-d8887717615a
go: downloading golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
go: downloading golang.org/x/text v0.3.0
go: downloading gopkg.in/fsnotify.v1 v1.4.7
running 'go mod vendor' for viaduct
/home/wjd/Desktop/kubeedge
running 'go mod tidy' for repo root
go: downloading github.com/docker/distribution v2.8.0+incompatible
go: downloading k8s.io/component-helpers v0.22.6
verifying github.com/docker/distribution@v2.8.0+incompatible: checksum mismatch
downloaded: h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=
go.sum: h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:75: verify-vendor] Error 1

"SECURITY ERROR" in this error report

[xiaoyang-chen]

oh, if so, it's better to just run make verify command directly, and there're some verification scripts. you can take a look at these scripts.

in update-vendor.sh

[xiaoyang-chen]

this is the the docker verdor's issue, not in this repo?

[gy95]

you can google the info.
SECURITY ERROR This download does NOT match an earlier download recorded in go.sum. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt.
just need run go clean -modcache first?

[xiaoyang-chen]

you can google the info. SECURITY ERROR This download does NOT match an earlier download recorded in go.sum. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt. just need run go clean -modcache first?

panjf2000/ants#49
report similar issue,
panjf2000/ants#168 fix it, it seems that docker vendor re-tagged after kubeedge tag v1.10.0

[xiaoyang-chen]

already fix in my code-repo, close this issue? @gy95

[gy95]

sure, it's up to you if there's no need to fix it in the main repo.