Giters

blizzy78 / varnamelen

Go analyzer checking that the length of a variable's name matches its usage scope

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Checksum mismatch in go sumdb

chrisdoherty4 opened this issue · comments

commented

I haven't quite worked out the issue but there seems to be a checksum mismatch in the Google sumdb. Raising some initial awareness with this ticket.

Relates to golangci/golangci-lint#2683

$ GOPROXY=direct go get github.com/blizzy78/varnamelen@v0.6.1
go: downloading github.com/blizzy78/varnamelen v0.6.1
go: github.com/blizzy78/varnamelen@v0.6.1: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
commented

This is totally my fault. I had initially tagged varnamelen v0.6.1, then realized I forgot some things, removed the tag and put it on a later commit. All while hoping that I would be quick enough, which it seems I wasn't :-(

commented

@blizzy78 I suspected as much, no worries. I don't know that it would've helped you, but you might consider leveraging -beta additions to the version string to test things out etc.

commented

@blizzy78 FWIW this is a really neat little package! Great problem to bring attention to/solve.

commented

Also https://go.dev/ref/mod#go-mod-file-retract would be useful to configure.

commented

Thanks for the suggestions, I'll look into those.

As for the initial idea to varnamelen, praise probably needs to go to my co-worker @Baret. I've implemented it in code and expanded upon it.

commented

Was hit by this today on a new machine, with go.sum created on other machine just about 2 weeks ago:

verifying github.com/blizzy78/varnamelen@v0.6.1/go.mod: checksum mismatch
	downloaded: h1:mGBHm+Uo4e8JnZEKHRoZgVEOQdSBdQfY/x+k4NAXBWA=
	go.sum:     h1:zy2Eic4qWqjrxa60jG34cfL0VXcSwzUrIx68eJPb4Q8=
commented

@baryluk Upgrade to 0.6.2. If you're receiving this due to a transitive dependency on varnamelen then the root project needs to upgrade varnamelen to 0.6.2 or later.

There are no behavioral differences between 0.6.1 and 0.6.2.

commented

Just to note, the latest version is 0.8.0, so you might want to upgrade to that instead.

commented

It is a transitive dependency. Not sure through of what (I do not understand Go modules too well).

I think via github.com/golangci/golangci-lint@v1.45.2, but I have no idea why it is being installed by anything that I depend on. Maybe I installed it, and it become the dependency of the project, while it isn't.

But I noticed that my go.mod already references only 0.8.0 // indirect, so I just removed the 0.6.1 from the go.sum. I guess go.sum had some old info from previous state of that indirect dependency, and go get -u updated it to 0.8.0, but kept the old 0.6.1 still there. I also removed the golangci-lint@v1.45.2 , re updated dependencies, and it started working.

commented

You may want to run go mod tidy in your project.

commented

You may want to run go mod tidy in your project.

Cool. Thanks!

Before

$ wc -l go.mod go.sum 
    77 go.mod
  1947 go.sum

After go mod tidy:

$ wc -l go.mod go.sum 
   39 go.mod
  947 go.sum