Open dan-hipschman opened 3 years ago
Please don't override tags.
same issue with go modules :((
same issue with go modules :((
I try to remove my go.sum, use go clean -modcache, then go mod tidy again. Sometimes it's work, sometimes it's not. Now, I have to hardcode the hash in go.sum to make the CI build run, but I cannot run the app in local.
@huucp this works without need to hardcode hashsum:
1) go clean --modcache
2) rm go.sum
3) GOSUMDB=off go mod tidy
or whatever mod command you need
once done, no need for GOSUMDB=off
any more
@huucp
export GOSUMDB=off && go clean -modcache && rm go.sum && go mod tidy
That solution is sadly not possible when using external systems, e.g. GitHub's Dependabot:
verifying github.com/oleiade/reflections@v1.0.0/go.mod: checksum mismatch
downloaded: h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
go.sum: h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Maybe releasing a 1.0.1 could work?
Hi folks,
Really sorry about that!! Thanks for reporting it @dan-hipschman-od (and your kindness about it) much appreciated. I updated all my libraries to support go modules in one go and wanted to "mark the hit" (like we say in french). I realize now, in hindsight, that rewriting the master history, and overriding the existing release was a terrible idea. That's a learning for me 👍
I will release a v1.0.1
right away to address the issue that have been mentioned above.
Thanks for your patience 🦕
I have pushed a v1.0.1
tag, and published a release. Let me know if you're still experiencing issues after bumping the version you use on your side. Thanks for your support 🙏
Hello,
Thanks for
reflections
!We're using this project and had it pinned in
Gopkg.lock
as follows:Earlier today it looks like our builds started failing because the commit
2b6ec3da648e3e834dc41bad8d9ed7f2dc6a9496
no longer exists in this repo. I don't have the full history, but it looks like new commits were force pushed over old commits and and thev1.0.0
tag was updated.Just a heads up that this will break our builds (and whoever else is using it this way). We can update the lock file on our side, but just letting you know it would be appreciated if new commits are only merged and never rebased so history is preserved, and tags aren't updated.
Thanks again! :)