Checksum mismatch in go sumdb

blizzy78 / varnamelen

Go analyzer checking that the length of a variable's name matches its usage scope

MIT License

20 stars 2 forks source link

Checksum mismatch in go sumdb #13

Closed chrisdoherty4 closed 2 years ago

chrisdoherty4 commented 2 years ago

I haven't quite worked out the issue but there seems to be a checksum mismatch in the Google sumdb. Raising some initial awareness with this ticket.

Relates to https://github.com/golangci/golangci-lint/issues/2683

$ GOPROXY=direct go get github.com/blizzy78/varnamelen@v0.6.1
go: downloading github.com/blizzy78/varnamelen v0.6.1
go: github.com/blizzy78/varnamelen@v0.6.1: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

blizzy78 commented 2 years ago

This is totally my fault. I had initially tagged varnamelen v0.6.1, then realized I forgot some things, removed the tag and put it on a later commit. All while hoping that I would be quick enough, which it seems I wasn't :-(

chrisdoherty4 commented 2 years ago

@blizzy78 I suspected as much, no worries. I don't know that it would've helped you, but you might consider leveraging -beta additions to the version string to test things out etc.

chrisdoherty4 commented 2 years ago

@blizzy78 FWIW this is a really neat little package! Great problem to bring attention to/solve.

chrisdoherty4 commented 2 years ago

Also https://go.dev/ref/mod#go-mod-file-retract would be useful to configure.

blizzy78 commented 2 years ago

Thanks for the suggestions, I'll look into those.

As for the initial idea to varnamelen, praise probably needs to go to my co-worker @Baret. I've implemented it in code and expanded upon it.

baryluk commented 2 years ago

Was hit by this today on a new machine, with go.sum created on other machine just about 2 weeks ago:

verifying github.com/blizzy78/varnamelen@v0.6.1/go.mod: checksum mismatch
    downloaded: h1:mGBHm+Uo4e8JnZEKHRoZgVEOQdSBdQfY/x+k4NAXBWA=
    go.sum:     h1:zy2Eic4qWqjrxa60jG34cfL0VXcSwzUrIx68eJPb4Q8=

chrisdoherty4 commented 2 years ago

@baryluk Upgrade to 0.6.2. If you're receiving this due to a transitive dependency on varnamelen then the root project needs to upgrade varnamelen to 0.6.2 or later.

There are no behavioral differences between 0.6.1 and 0.6.2.

blizzy78 commented 2 years ago

Just to note, the latest version is 0.8.0, so you might want to upgrade to that instead.

baryluk commented 2 years ago

It is a transitive dependency. Not sure through of what (I do not understand Go modules too well).

I think via github.com/golangci/golangci-lint@v1.45.2, but I have no idea why it is being installed by anything that I depend on. Maybe I installed it, and it become the dependency of the project, while it isn't.

But I noticed that my go.mod already references only 0.8.0 // indirect, so I just removed the 0.6.1 from the go.sum. I guess go.sum had some old info from previous state of that indirect dependency, and go get -u updated it to 0.8.0, but kept the old 0.6.1 still there. I also removed the golangci-lint@v1.45.2 , re updated dependencies, and it started working.

blizzy78 commented 2 years ago

You may want to run go mod tidy in your project.

baryluk commented 2 years ago

You may want to run go mod tidy in your project.

Cool. Thanks!

Before

$ wc -l go.mod go.sum 
    77 go.mod
  1947 go.sum

After go mod tidy:

$ wc -l go.mod go.sum 
   39 go.mod
  947 go.sum