Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default go proxy has stale version #883

Open
alexshtin opened this issue Jun 23, 2022 · 2 comments
Open

Default go proxy has stale version #883

alexshtin opened this issue Jun 23, 2022 · 2 comments

Comments

@alexshtin
Copy link

alexshtin commented Jun 23, 2022

Problem

If I try to install latest version using default go proxy GOPROXY="https://proxy.golang.org,direct" everything works fine, but if I turn it off go gives me an error:

bash-5.1# GOPROXY=direct go get -u github.com/uber/tchannel-go
go: downloading github.com/uber/tchannel-go v1.31.0
go get github.com/uber/tchannel-go: github.com/uber/[email protected]: verifying module: checksum mismatch
        downloaded: h1:/UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8=
        sum.golang.org: h1:svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

After investigations I found out that /UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8= checksum is corresponig to the commit tagged with v1.31.0 but svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU= belongs to d84cd5f commit which is 8 commits behind the v1.31.0. This means that everybody who gets v1.31.0 using go get -u github.com/uber/tchannel-go doesn't really gets 1.31.0 unless they turn go proxy off, but in this case checksum validation is failing.

Proposed solution

Release v1.31.1 ASAP. Even if it points to the same c373222 commit as v1.30.0.

@alexshtin
Copy link
Author

@alexshtin
Copy link
Author

Consider retracting 1.30.0 using retract.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant