Failing build due to changed dependency
SamWhited opened this issue · 6 comments
The build is currently failing due to a checksum mismatch:
verifying github.com/jackal-xmpp/runqueue@v0.5.0: checksum mismatch
downloaded: h1:xhx6XS5VLqgMQec0qp0yQE53+9dttsL7SjQKBXnJmcQ=
go.sum: h1:zwcW3PwR6uF9h52myAPNQt5YmbyuIpDvyDStUobclOc=
👋
After running go mod tidy I'm still getting h1:zwcW3PwR6uF9h52myAPNQt5YmbyuIpDvyDStUobclOc= checksum value for github.com/jackal-xmpp/runqueue@v0.5.0 repository. 🤔
Could you please specify which go version are you using? Thanks!
go mod tidy won't clean up the problem, it will just show the error. I've tried on a recent build of Go 1.17, but also on Go 1.15.9 and 1.16.2.
To fix this you'd probably want to investigate why the checksum changed (in case it is an actual problem) and then if everything is okay you'd remove this line from go.sum and then run go mod tidy which would add the new checksum line.
I'm guessing you force pushed the tag or something, which will break other builds that have already pinned this version.
Oh, that would explain the issue, I'll create a new library release and do the fix. Thanks for pointing this out!
Just updated the dependency and recreated v0.52.0 tag. Could you please confirm if this is still an issue?
It builds fine now. Gentle reminder though that recreating tags is unexpected (because it looks like a possible attack). Anything that had jackal pinned at v0.52.0 (eg. if people deploying it were using a go.mod file to keep track of versions or had it in their tools.go file or something) will now also be broken if the global Go package database had already hashed it.
I'm glad it works now! Regarding recreating a tag, I was completely unaware of that implication. I'll definitely keep that in mind the next time something similar happens. Luckily the release was short-lived, so I expect that at least not too many people has been affected by this. 🤞