checksum 2.0.0 release changed

[marcofranssen]

What happened to the 2.0.0 release?

The checksum has changed. Has this release been compromised?

https://github.com/marcofranssen/gothermostat/pull/121/checks?check_run_id=3717744193#step:5:6

[mrz1836]

I am having the same issue:

verifying github.com/vartanbeno/go-reddit/v2@v2.0.0: checksum mismatch
    downloaded: h1:fxYMqx5lhbmJ3yYRN1nnQC/gecRB3xpUS2BbG7GLpsk=
    go.sum:     h1:vjb+mY2GwC00uKeXdM+efhzEJoScc0oQfP5CZrE2R28=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

[takirala]

+1

facing the same issue

[marcofranssen]

@vartanbeno any clue if this was an intended action from your side causing this issue for consumers of the library, or if this is a compromise in the library? Would be great to give us an update from your perspective.

[caarlos0]

I got reports about this as well... but for me it works fine...

My guess is some funky go mod proxy, but as I can't reproduce I don't know as well...

My suggestion would be to tag a v2.0.1 just in case @vartanbeno, specially if you recreated the tag at some point in time...

[Anorlondo448]

+1

same issue...

[philpennock]

Encountered the same issue, and investigated. If folks are using the official Go proxy hosted by Google, they won't see this issue because they'll just be given the same module which was cached and made it into the sumdb, which means we can download both the seen-by-Google .zip and the .zip which fails, and extract and diff the trees.

Running diff -ur GORED-LIVE GORED-GOOGLEPROXY yields this:

diff -ur GORED-LIVE/github.com/vartanbeno/go-reddit/v2@v2.0.0/CHANGELOG.md GORED-GOOGLEPROXY/github.com/vartanbeno/go-reddit/v2@v2.0.0/CHANGELOG.md
--- GORED-LIVE/github.com/vartanbeno/go-reddit/v2@v2.0.0/CHANGELOG.md   1979-12-31 00:00:00.000000000 -0500
+++ GORED-GOOGLEPROXY/github.com/vartanbeno/go-reddit/v2@v2.0.0/CHANGELOG.md    1979-12-31 00:00:00.000000000 -0500
@@ -1,6 +1,6 @@
 # Change Log

-## [v2.0.0] - 2021-01-31
+## [v2.0.0] - 2021-01-24

 - The underlying `*http.Client` is now passed as an option when initializing a client.
 - Use value type instead of pointer for credentials when initializing a client.
diff -ur GORED-LIVE/github.com/vartanbeno/go-reddit/v2@v2.0.0/README.md GORED-GOOGLEPROXY/github.com/vartanbeno/go-reddit/v2@v2.0.0/README.md
--- GORED-LIVE/github.com/vartanbeno/go-reddit/v2@v2.0.0/README.md  1979-12-31 00:00:00.000000000 -0500
+++ GORED-GOOGLEPROXY/github.com/vartanbeno/go-reddit/v2@v2.0.0/README.md   1979-12-31 00:00:00.000000000 -0500
@@ -16,7 +16,7 @@

 ## Overview

-**Featured in issues [327](https://golangweekly.com/issues/327) and [347](https://golangweekly.com/issues/347) of Golang Weekly 🎉**
+**Featured in [issue 327 of Golang Weekly](https://golangweekly.com/issues/327) 🎉**

 go-reddit is a Go client library for accessing the Reddit API.

So it's not malicious, but the git tag was apparently moved after initial release, causing the usual cascade of checksum mismatches. The contents seen initially by the checksum security DB correspond to v2.0.0 having been on commit e60ea72 instead of its current ff5b4e8.

This is going to continue causing problems for anyone building any app using this module, depending upon whether or not the builder is using the google proxy or not, as long as they're using the security-guard checksum DB, and nobody should recommend disabling that.

The only sane fix is going to be to cut a v2.0.1 tag and ask dependents to upgrade to that.

[philpennock]

(The tag could also be moved back, but other checksum DBs might exist and have cached the newer tag position, so you'd be trading off which community of users gets download errors, thus the new tag suggestion from myself and other people above.)

[kwyn]

I've just run into this error as well. Can we get a tag bump? The patch semver even makes sense in this case.

[caarlos0]

the lib author has been inactive on github since May... maybe someone wants to fork it?