go-collectd
go-collectd copied to clipboard
checksum mismatch with v0.5.0
The sum.golang.org reports hashes of:
collectd.org v0.5.0 h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=
collectd.org v0.5.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE=
However, if a user attempts to use collectd.org and run GOPROXY=direct go mod tidy
, meaning directly download the package from the version control system (i.e. github) as opposed to the module proxy, the result is a checksum mismatch:
go: downloading collectd.org v0.5.0
verifying [email protected]: checksum mismatch
downloaded: h1:mRTLdljvxJNXPMMO9RSxf0PANDAqu/Tz+I6Dt6OjB28=
go.sum: h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
This can be reproduced with:
package main
import _ "collectd.org/api"
func main() {}
module test
go 1.17
require collectd.org v0.5.0
This was reported to me via https://github.com/influxdata/telegraf/issues/10408
Can confirm this issue (happens when I build telegraf as part of a buildroot project). I have the exact same checksum mismatch.
Looks like this is caused by the tag that v0.5.0 points to changing to point to a different commit. As we can't control the proxy we would need to resolve it by creating a new point release. @octo would you be happy to tag a release v0.5.1 to resolve this issue?
replace ( collectd.org v0.5.0 => github.com/collectd/go-collectd v0.5.0 )
@octo would you be willing to create the v0.5.1
to resolve this? It would be nice to have rather than using the replace option.
please fix this, I have the exact same checksum mismatch.
@octo would you be willing to create the
v0.5.1
to resolve this? It would be nice to have rather than using the replace option.
@octo ?
✅ done
Since c7dfb957797963597d619fd815cc2c123cef63e8 adds a new method, I've tagged this as v0.6.0
.