v1.5.1 checksum mismatch.
peanutzhen opened this issue · 5 comments
go: finding module for package github.com/josephburnett/jd/lib
go: downloading github.com/josephburnett/jd v1.5.1
github.com/bubble-diff/bubblereplay/handlers imports
github.com/josephburnett/jd/lib: github.com/josephburnett/jd@v1.5.1: verifying module: checksum mismatch
downloaded: h1:6V6C5rMl1RCea2EuufPuGS+rSfJetRXl//R5XJz19AA=
sum.golang.org: h1:QmLNUewdF2CAezYKe1f/UIP9M5D9GtC+N7/qIyj3Pi8=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
I hava the same question.
I messed up the 1.5.0/1.5.1 release process which is just a Makefile target. The docker build didn't work but the script had already pushed the 1.5.0 tag. So I created 1.5.1 by hand: #41 (comment) (Bad idea) Your breakage is probably the result of moving the 1.5.1 tag to the commit from which the 1.5.1 binaries were built.
You can safely use the new commit (delete the go.sum entry and it should be replaced on the next build). I apologize for the inconvenience.
This shouldn't happen ever. The answer is safe and reliable automation, so I've opened #44 to make improvements to the Makefile.
Same issue in Homebrew: Homebrew/homebrew-core#95107
This broke some later builds on our side.
The best strategy would have been to tag a 1.5.2 release instead, and either leave the old tags as they were, or delete them if they were shipping broken software.
@iMichka thanks for fixing the checksum. Are new tags picked up automatically by Homebrew?
No, they're usually contributed by users (though some of them automate their submissions)