search

tomarrell / wrapcheck

A Go linter to check that errors from external packages are wrapped
https://blog.tomarrell.com/post/introducing_wrapcheck_linter_for_go
MIT License
291 stars 26 forks source link

Was v1.0.0 republished? #10

Closed Aneurysm9 closed 3 years ago

Aneurysm9 commented 3 years ago

It looks like the v1.0.0 tag may have been published multiple times with different commits, leading to module checksum errors:

go: downloading honnef.co/go/tools v0.1.3
verifying github.com/tomarrell/wrapcheck@v1.0.0: checksum mismatch
    downloaded: h1:Vlt2WgQOtsuhOBvJsqnT79c0BmN568PxEcB+EMNm/yY=
    go.sum:   h1:e/6yv/rH08TZFvkYpaAMrgGbaQHVFdzaPPv4a5EIu+o=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

pkg.go.dev indicates that v1.0.0 was published on 3/17/2021, but this repo indicates it was published yesterday, 3/29/2021.

jkowalski commented 3 years ago

See https://github.com/tomarrell/wrapcheck/issues/8#issuecomment-809662769

tomarrell commented 3 years ago

Sure, I'll restore the tag and draft a new release.

tomarrell commented 3 years ago

I've restored the tag to prevent checksum issues. I was mistaken thinking that only a small number of people installing it in that short time (~4 days) would be affected.