uber / tchannel-go

Go implementation of a multiplexing and framing protocol for RPC calls
http://uber.github.io/tchannel/
MIT License
490 stars 84 forks source link

Default go proxy has stale version #883

Open alexshtin opened 2 years ago

alexshtin commented 2 years ago

Problem

If I try to install latest version using default go proxy GOPROXY="https://proxy.golang.org,direct" everything works fine, but if I turn it off go gives me an error:

bash-5.1# GOPROXY=direct go get -u github.com/uber/tchannel-go
go: downloading github.com/uber/tchannel-go v1.31.0
go get github.com/uber/tchannel-go: github.com/uber/tchannel-go@v1.31.0: verifying module: checksum mismatch
        downloaded: h1:/UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8=
        sum.golang.org: h1:svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

After investigations I found out that /UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8= checksum is corresponig to the commit tagged with v1.31.0 but svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU= belongs to d84cd5fc7edf41c826124544b2d311aec4c0fbdb commit which is 8 commits behind the v1.31.0. This means that everybody who gets v1.31.0 using go get -u github.com/uber/tchannel-go doesn't really gets 1.31.0 unless they turn go proxy off, but in this case checksum validation is failing.

Proposed solution

Release v1.31.1 ASAP. Even if it points to the same c37322216fe232b4f95591facab054cc1c253d1f commit as v1.30.0.

alexshtin commented 2 years ago

Few helpful links: https://sum.golang.org/lookup/github.com/uber/tchannel-go@v1.31.0 https://github.com/vikyd/go-checksum

alexshtin commented 2 years ago

Consider retracting 1.30.0 using retract.