search

safchain / ethtool

A simple ethtool "like" library for GO
Apache License 2.0
116 stars 69 forks source link

Checksum mismatch #57

Closed Ben131-Go closed 7 months ago

Ben131-Go commented 1 year ago

Background

Comparing version v0.2.0 of github.com/safchain/ethtool from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
"name": "GitHub",
"email": "noreply@github.com",
"date": "2022-03-08T21:01:47Z"
}

commit time of the copy on proxy.golang.org

{"Version":"v0.2.0","Time":"2021-10-27T13:15:06Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.2.0 tag of github.com/safchain/ethtool might have been retagged after a minor edition on github.
In this case, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/safchain/ethtool@v0.2.0, the following error occurs.


go: downloading github.com/safchain/ethtool v0.2.0
go: github.com/safchain/ethtool@v0.2.0: verifying module: checksum mismatch
downloaded: h1:tjsEsesUSlGdnUAAiIaEvk/YEycwk0k3Q6/q77qGpBI=
sum.golang.org: h1:dILxMBqDnQfX192cCAPjZr9v2IgVXeElHPy435Z/IdE=

SECURITY ERROR This download does NOT match the one reported by the checksum server. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt.

For more information, see 'go help module-auth'.



## Solution
### 1. Release a new tag
I would recommend releasing a new tag to ensure dependency copy in proxy.golang.org and github in sync.

## References
+ <https://proxy.golang.org/>