search

googleapis / enterprise-certificate-proxy

Repository for the Enterprise Certificate Proxy project.
Apache License 2.0
21 stars 12 forks source link

Re-release v0.3.3 as v0.3.4 #127

Closed bendiknesbo closed 1 month ago

bendiknesbo commented 2 months ago

There appears to have been an erroneous release of v0.3.3, where (presumably) commit f21be58b697858416572a2afe874ed3a198e0b87 was tagged, instead of f3de1e7957d48af64204e6208d330445b3e553bb. This has since been corrected, so f3de1e7957d48af64204e6208d330445b3e553bb is the tagged commit now.

However, modules proxies and mirrors have already managed to get ahold of the erroneous tagged version, and is still distributing that version, while others end up with the correct version.

This leads to security-errors on go get:

verifying github.com/googleapis/enterprise-certificate-proxy@v0.3.3: checksum mismatch
        downloaded: h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=
        go.sum:     h1:G6q7VHBoU74wQHXFsZSLMPl0rFw0ZDrlZ3rt6/aTBII=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

The official go module proxy recommends to release a new version, and encourage the use of the fixed version:

I removed a bad release from my repository but it still appears in the mirror, what should I do? Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.

I suggest you bump to v0.3.4, and release that properly.

niij commented 2 months ago

@andyrzhao ^

andyrzhao commented 2 months ago

Taking a look now. Thanks for the heads up!

andyrzhao commented 2 months ago

Ok, I've created a PR to bump the version txt to 0.3.4 (used by compiler) https://github.com/googleapis/enterprise-certificate-proxy/pull/128 After that is merged in, I will cut a 0.3.4 release off of that commit. ETA Monday EOD for the release since code-owners are not available on weekend. Thanks!

aknuds1 commented 1 month ago

This was fixed with version v0.3.4.

bendiknesbo commented 1 month ago

Thanks, @andyrzhao, for fixing this.