Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch jsonschema validation libraries #1189

Merged
merged 1 commit into from
Jun 18, 2024
Merged

Switch jsonschema validation libraries #1189

merged 1 commit into from
Jun 18, 2024

Conversation

sudo-bmitch
Copy link
Contributor

This swaps out https://github.com/xeipuuv/gojsonschema for https://github.com/santhosh-tekuri/jsonschema. Considering how far back some of this code goes, feedback from @stevvooe and @vbatts would be awesome.

@sudo-bmitch sudo-bmitch force-pushed the pr-jsonschema-validator branch from 085bebd to 4bbdd7f Compare May 26, 2024 21:33
@rchincha
Copy link

I would also keep a fork of this dep under OCI repos because the author may:

  1. delete the repo or change access
  2. change license
  3. some other apocalyptic event ...

@sudo-bmitch
Copy link
Contributor Author

I would also keep a fork of this dep under OCI repos because the author may:

1. delete the repo or change access

2. change license

3. some other apocalyptic event ...

I think most of those concerns are covered by individual developers with the go module cache on their machines, in addition to Google's Go proxy server: https://sum.golang.org/.

@sajayantony sajayantony merged commit 036563a into opencontainers:main Jun 18, 2024
4 checks passed
@sudo-bmitch sudo-bmitch deleted the pr-jsonschema-validator branch June 18, 2024 17:36
@dims dims mentioned this pull request Nov 5, 2024
Open
@pacoxu pacoxu mentioned this pull request Nov 6, 2024
Closed
3 tasks
@sudo-bmitch sudo-bmitch mentioned this pull request Feb 24, 2025
Merged
6 tasks
@thaJeztah
Copy link
Member

I think most of those concerns are covered by individual developers with the go module cache on their machines, in addition to Google's Go proxy server: https://sum.golang.org/.

just a quick comment that Google's Go proxy server is NOT a safeguard against such events; it's a caching proxy, but cache expires after 6 Months. Consider it a protection against repository going AWOL with a grace-period.

FWIW, we have had situations where that happened; at least in one case the upstream (one of Microsoft's repositories) decided to "start a new implementation from scratch" and to force-push the repository with new code. Another case was where the upstream repository went AWOL (or vanity domain expired), which was discovered early by us because we used GOPROXY=direct for our vendor check, but for some other repositories didn't show up until Google's Go proxy expired after 6 Months.

From Google's proxy server; https://proxy.golang.org/#faq-retention

Why did a previously available module become unavailable in the mirror?

proxy.golang.org does not save all modules forever. There are a number of reasons for this, but one reason is if proxy.golang.org is not able to detect a suitable license. In this case, only a temporarily cached copy of the module will be made available, and may become unavailable if it is removed from the original source and becomes outdated. The checksums will still remain in the checksum database regardless of whether or not they have become unavailable in the mirror.

So while https://sum.golang.org/ may keep the checksum, it may still be relevant to have a fork of the code to be able to add a replace rule (or otherwise).

This was referenced Mar 4, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon approved these changes

@cpuguy83 cpuguy83 cpuguy83 approved these changes

@sajayantony sajayantony sajayantony approved these changes

@jonjohnsonjr jonjohnsonjr Awaiting requested review from jonjohnsonjr jonjohnsonjr is a code owner

@stevvooe stevvooe Awaiting requested review from stevvooe stevvooe is a code owner

@cyphar cyphar Awaiting requested review from cyphar cyphar is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@sudo-bmitch @rchincha @thaJeztah @tianon @cpuguy83 @sajayantony