Switch jsonschema validation libraries

[sudo-bmitch]

This swaps out https://github.com/xeipuuv/gojsonschema for https://github.com/santhosh-tekuri/jsonschema. Considering how far back some of this code goes, feedback from @stevvooe and @vbatts would be awesome.

[rchincha]

I would also keep a fork of this dep under OCI repos because the author may:

1. delete the repo or change access
2. change license
3. some other apocalyptic event ...

[sudo-bmitch]

I would also keep a fork of this dep under OCI repos because the author may:

1. delete the repo or change access

2. change license

3. some other apocalyptic event ...

I think most of those concerns are covered by individual developers with the go module cache on their machines, in addition to Google's Go proxy server: https://sum.golang.org/.

[thaJeztah]

I think most of those concerns are covered by individual developers with the go module cache on their machines, in addition to Google's Go proxy server: https://sum.golang.org/.

just a quick comment that Google's Go proxy server is NOT a safeguard against such events; it's a caching proxy, but cache expires after 6 Months. Consider it a protection against repository going AWOL with a grace-period.

FWIW, we have had situations where that happened; at least in one case the upstream (one of Microsoft's repositories) decided to "start a new implementation from scratch" and to force-push the repository with new code. Another case was where the upstream repository went AWOL (or vanity domain expired), which was discovered early by us because we used GOPROXY=direct for our vendor check, but for some other repositories didn't show up until Google's Go proxy expired after 6 Months.

From Google's proxy server; https://proxy.golang.org/#faq-retention

Why did a previously available module become unavailable in the mirror?

proxy.golang.org does not save all modules forever. There are a number of reasons for this, but one reason is if proxy.golang.org is not able to detect a suitable license. In this case, only a temporarily cached copy of the module will be made available, and may become unavailable if it is removed from the original source and becomes outdated. The checksums will still remain in the checksum database regardless of whether or not they have become unavailable in the mirror.

So while https://sum.golang.org/ may keep the checksum, it may still be relevant to have a fork of the code to be able to add a replace rule (or otherwise).