Fully address #15 checksum mismatch #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Steve Coffman <steve@khanacademy.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See #15
Version v1.2.1 had been originally tagged for commit hash that was subsequently removed, and replaced by another commit hash.
Even though the window of time between the two release events was short, it was enough to get the go mod proxy confused, resulting in errors about mismatched checksums.
sum.golang.org is intended to guarantee that all Go users see the same code for a given module version. There's no way for it to know whether a change to a release was an intentional fix, a mistake, or an attack. Either way, reproducible builds are fundamental goal of the module ecosystem and users should be able to rely on things not changing invisibly.
If you use proxy.golang.org, it will serve you the same data for the version that sum.golang.org saw.
This adds the retract directive to the
go.modfile for ryancurrah/gomodguard so retracted versions will be hidden from the version list printed bygo list -m -versionsunless the-retractedflag is used. Retracted versions are excluded when resolving version queries like@>=v1.2.3or@latest.This will also prevent consumers of this library that run
go mod verifyandgo mod download -xfrom looking at the bad checksum from the older v1.2.1 release after a newer version is published and depended on.Signed-off-by: Steve Coffman steve@khanacademy.org
This change is