Checksum mismatch in go sumdb

[chrisdoherty4]

I haven't quite worked out the issue but there seems to be a checksum mismatch in the Google sumdb. Raising some initial awareness with this ticket.

Relates to golangci/golangci-lint#2683

$ GOPROXY=direct go get github.com/blizzy78/[email protected]
go: downloading github.com/blizzy78/varnamelen v0.6.1
go: github.com/blizzy78/[email protected]: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

[blizzy78]

This is totally my fault. I had initially tagged varnamelen v0.6.1, then realized I forgot some things, removed the tag and put it on a later commit. All while hoping that I would be quick enough, which it seems I wasn't :-(

[chrisdoherty4]

@blizzy78 I suspected as much, no worries. I don't know that it would've helped you, but you might consider leveraging -beta additions to the version string to test things out etc.

[chrisdoherty4]

@blizzy78 FWIW this is a really neat little package! Great problem to bring attention to/solve.

[chrisdoherty4]

Also https://go.dev/ref/mod#go-mod-file-retract would be useful to configure.

[blizzy78]

Thanks for the suggestions, I'll look into those.

As for the initial idea to varnamelen, praise probably needs to go to my co-worker @Baret. I've implemented it in code and expanded upon it.

[baryluk]

Was hit by this today on a new machine, with go.sum created on other machine just about 2 weeks ago:

verifying github.com/blizzy78/[email protected]/go.mod: checksum mismatch
	downloaded: h1:mGBHm+Uo4e8JnZEKHRoZgVEOQdSBdQfY/x+k4NAXBWA=
	go.sum:     h1:zy2Eic4qWqjrxa60jG34cfL0VXcSwzUrIx68eJPb4Q8=

[chrisdoherty4]

@baryluk Upgrade to 0.6.2. If you're receiving this due to a transitive dependency on varnamelen then the root project needs to upgrade varnamelen to 0.6.2 or later.

There are no behavioral differences between 0.6.1 and 0.6.2.

[blizzy78]

Just to note, the latest version is 0.8.0, so you might want to upgrade to that instead.

[baryluk]

It is a transitive dependency. Not sure through of what (I do not understand Go modules too well).

I think via github.com/golangci/[email protected], but I have no idea why it is being installed by anything that I depend on. Maybe I installed it, and it become the dependency of the project, while it isn't.

But I noticed that my go.mod already references only 0.8.0 // indirect, so I just removed the 0.6.1 from the go.sum. I guess go.sum had some old info from previous state of that indirect dependency, and go get -u updated it to 0.8.0, but kept the old 0.6.1 still there. I also removed the [email protected] , re updated dependencies, and it started working.

[blizzy78]

You may want to run go mod tidy in your project.

[baryluk]

You may want to run go mod tidy in your project.

Cool. Thanks!

Before

$ wc -l go.mod go.sum 
    77 go.mod
  1947 go.sum

After go mod tidy:

$ wc -l go.mod go.sum 
   39 go.mod
  947 go.sum