Checksum mismatch
Ben131-Go opened this issue · 0 comments
Ben131-Go commented
Background
Comparing version v0.2.0 of github.com/safchain/ethtool from proxy.golang.org and github, there are inconsistencies.
"committer": {
"name": "GitHub",
"email": "noreply@github.com",
"date": "2022-03-08T21:01:47Z"
}{"Version":"v0.2.0","Time":"2021-10-27T13:15:06Z"}So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.2.0 tag of github.com/safchain/ethtool might have been retagged after a minor edition on github.
In this case, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/safchain/ethtool@v0.2.0, the following error occurs.
go: downloading github.com/safchain/ethtool v0.2.0
go: github.com/safchain/ethtool@v0.2.0: verifying module: checksum mismatch
downloaded: h1:tjsEsesUSlGdnUAAiIaEvk/YEycwk0k3Q6/q77qGpBI=
sum.golang.org: h1:dILxMBqDnQfX192cCAPjZr9v2IgVXeElHPy435Z/IdE=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.Solution
1. Release a new tag
I would recommend releasing a new tag to ensure dependency copy in proxy.golang.org and github in sync.