The checksums generated by sum.golang.org and gosum.io are different

Question

The checksums generated by sum.golang.org and gosum.io are different

starryrbs opened this issue 2 years ago · 1 comments

package: github.com/StackExchange/wmi@v1.2.0

curl https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/!stack!exchange/wmi@v1.2.0

output

5962738
github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=

go.sum database tree
11824063
WCl512Pdu5vjuBVhKZhK+XZw6Xp/DWkqqvzSQdp+8q4=

— sum.golang.org Az3grjvrvdlD1XXg3nTv0Xpy0rz1iE0usJdqgypkJPeH4tSKI4P0SBoKRlVee1N6BVXR7j7kWLsa7SsnzV7lxL/LPQA=

curl https://goproxy.io/sumdb/gosum.io/lookup/github.com/!stack!exchange/wmi@v1.2.0

output

28882
github.com/StackExchange/wmi v1.2.0 h1:BfLCNdXnvwgy5RrRI3IyQ64ZItZngXHN+7PxU5RvKxA=
github.com/StackExchange/wmi v1.2.0/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=

go.sum database tree
56431
b7RJRhGEDAmIbdecPnyJsCgh0x9u+23qxh3fWCyVVcs=

— gosum.io zm51ZVqJGN5U5qZxcbzblEeXvKYABVzfVFQwyEJge3jktE6lAycaYl7b15TJepOrBBBjvUXt0b92oBk2DRumCBzBFQ0=

go mod download

ooutput

github.com/StackExchange/wmi@v1.2.0: verifying module: checksum mismatch
	downloaded: h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
	gosum.io: h1:BfLCNdXnvwgy5RrRI3IyQ64ZItZngXHN+7PxU5RvKxA=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.

Answer 1 · 2022-08-10T14:52:07.000Z

it should be

github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=

maybe the version(git tag) v1.2.0 released twice or more.

gosum.io didn't get this change, so it keep the old check-sum.