Difficulties downloading v0.2.0

Question

Difficulties downloading v0.2.0

Deleplace opened this issue 3 years ago · 4 comments

The release v0.2.0 clearly mentions:

the tag name v0.2.0
the commit id e436cb1
the breaking change "constructors no longer returns an error" e.g. NewConstant now returns a single value
the potentially breaking change "Automatically unwrap"

I confirm that the code at tag v0.2.0 / commit e436cb1 does include the new signature for NewConstant, as viewed in the GitHub web UI.

However, when downloading v0.2.0 with go get (with a recent enough version of go), the downloaded code

includes the "Automatically unwrap" change
doesn't include the "constructors no longer returns an error"!

Here is a full repro from Cloud Shell:

deleplace@cloudshell:~$ go version
go version go1.17.2 linux/amd64

deleplace@cloudshell:~$ go get github.com/sethvargo/go-retry@v0.2.0                                                                                                                                 
go: downloading github.com/sethvargo/go-retry v0.2.0

deleplace@cloudshell:~$ cat gopath/pkg/mod/github.com/sethvargo/go-retry@v0.2.0/retry.go | grep -A2 "if stop"                                                                                       
                if stop {
                        return rerr.Unwrap()
                }

deleplace@cloudshell:~$ cat gopath/pkg/mod/github.com/sethvargo/go-retry@v0.2.0/backoff_constant.go | grep "func NewConstant"
func NewConstant(t time.Duration) (Backoff, error) {

This is tricky.

I don't know the root cause of the problem. Might be a nasty bug in the go module tooling, or the way we use it. @sethvargo do you remember if you created the tag v0.2.0 first at commit 2ee2801, then deleted it and created it anew at commit e436cb1?

Answer 1 · 2022-01-04T10:30:45.000Z

I got the following error from the CI pipeline of a branch where the dependency was automatically updated:

[2022-01-04T03:15:29.531Z] #11 9.386 verifying github.com/sethvargo/go-retry@v0.2.0: checksum mismatch
[2022-01-04T03:15:29.531Z] #11 9.386 	downloaded: h1:exfyQcFOOpUZ5fGciVj3iij5ilBo9oDeNo/kLj0ijS4=
[2022-01-04T03:15:29.531Z] #11 9.386 	go.sum:     h1:DCx92rkKH4xFulbIQR1izw6h3KxJWb1lyS2sxfr7SgQ=
[2022-01-04T03:15:29.531Z] #11 9.386 
[2022-01-04T03:15:29.531Z] #11 9.386 SECURITY ERROR
[2022-01-04T03:15:29.531Z] #11 9.386 This download does NOT match an earlier download recorded in go.sum.
[2022-01-04T03:15:29.531Z] #11 9.386 The bits may have been replaced on the origin server, or an attacker may
[2022-01-04T03:15:29.531Z] #11 9.386 have intercepted the download attempt.
[2022-01-04T03:15:29.531Z] #11 9.386 
[2022-01-04T03:15:29.531Z] #11 9.386 For more information, see 'go help module-auth'.
[2022-01-04T03:15:32.051Z] #11 ERROR: executor failed running [/bin/sh -c go mod download]: exit code: 1

Not sure if or how this helps but it seems somewhat relevant

Answer 2 · 2022-01-04T10:59:35.000Z

Thanks Florian

I suggest the v0.2.0 be retracted.

Answer 3 · 2022-01-04T13:49:24.000Z

Hmm - I'm not sure what happened, but this is the second time on one of my projects where the module differs. I just retracted v0.2.0 and cut v0.2.1.

Answer 4 · 2022-01-19T00:09:00.000Z

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.