If I try to install latest version using default go proxy GOPROXY="https://proxy.golang.org,direct" everything works fine, but if I turn it off go gives me an error:
bash-5.1# GOPROXY=direct go get -u github.com/uber/tchannel-go
go: downloading github.com/uber/tchannel-go v1.31.0
go get github.com/uber/tchannel-go: github.com/uber/tchannel-go@v1.31.0: verifying module: checksum mismatch
downloaded: h1:/UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8=
sum.golang.org: h1:svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
After investigations I found out that /UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8= checksum is corresponig to the commit tagged with v1.31.0 but svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU= belongs to d84cd5fc7edf41c826124544b2d311aec4c0fbdb commit which is 8 commits behind the v1.31.0. This means that everybody who gets v1.31.0 using go get -u github.com/uber/tchannel-go doesn't really gets 1.31.0 unless they turn go proxy off, but in this case checksum validation is failing.
Proposed solution
Release v1.31.1 ASAP. Even if it points to the same c37322216fe232b4f95591facab054cc1c253d1f commit as v1.30.0.
Problem
If I try to install latest version using default go proxy
GOPROXY="https://proxy.golang.org,direct"
everything works fine, but if I turn it off go gives me an error:After investigations I found out that
/UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8=
checksum is corresponig to the commit tagged withv1.31.0
butsvHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU=
belongs to d84cd5fc7edf41c826124544b2d311aec4c0fbdb commit which is 8 commits behind thev1.31.0
. This means that everybody who getsv1.31.0
usinggo get -u github.com/uber/tchannel-go
doesn't really gets 1.31.0 unless they turn go proxy off, but in this case checksum validation is failing.Proposed solution
Release
v1.31.1
ASAP. Even if it points to the same c37322216fe232b4f95591facab054cc1c253d1f commit asv1.30.0
.