Was v1.0.0 republished?

Question

Was v1.0.0 republished?

Closed this issue 4 years ago · 3 comments

It looks like the v1.0.0 tag may have been published multiple times with different commits, leading to module checksum errors:

go: downloading honnef.co/go/tools v0.1.3
verifying github.com/tomarrell/wrapcheck@v1.0.0: checksum mismatch
	downloaded: h1:Vlt2WgQOtsuhOBvJsqnT79c0BmN568PxEcB+EMNm/yY=
	go.sum:   h1:e/6yv/rH08TZFvkYpaAMrgGbaQHVFdzaPPv4a5EIu+o=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

pkg.go.dev indicates that v1.0.0 was published on 3/17/2021, but this repo indicates it was published yesterday, 3/29/2021.

Answer 1 · 2021-03-31T03:43:50.000Z

See #8 (comment)

Answer 2 · 2021-03-31T15:45:03.000Z

Sure, I'll restore the tag and draft a new release.

Answer 3 · 2021-03-31T15:52:08.000Z

I've restored the tag to prevent checksum issues. I was mistaken thinking that only a small number of people installing it in that short time (~4 days) would be affected.