The checksums generated by sum.golang.org and gosum.io are different

[starryrbs]

package: github.com/StackExchange/[email protected]

curl https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/!stack!exchange/[email protected]

output

5962738
github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=

go.sum database tree
11824063
WCl512Pdu5vjuBVhKZhK+XZw6Xp/DWkqqvzSQdp+8q4=

— sum.golang.org Az3grjvrvdlD1XXg3nTv0Xpy0rz1iE0usJdqgypkJPeH4tSKI4P0SBoKRlVee1N6BVXR7j7kWLsa7SsnzV7lxL/LPQA=

curl https://goproxy.io/sumdb/gosum.io/lookup/github.com/!stack!exchange/[email protected]

output

28882
github.com/StackExchange/wmi v1.2.0 h1:BfLCNdXnvwgy5RrRI3IyQ64ZItZngXHN+7PxU5RvKxA=
github.com/StackExchange/wmi v1.2.0/go.mod h1:rcmrprowKIVzvc+NUiLncP2uuArMWLCbu9SBzvHz7e8=

go.sum database tree
56431
b7RJRhGEDAmIbdecPnyJsCgh0x9u+23qxh3fWCyVVcs=

— gosum.io zm51ZVqJGN5U5qZxcbzblEeXvKYABVzfVFQwyEJge3jktE6lAycaYl7b15TJepOrBBBjvUXt0b92oBk2DRumCBzBFQ0=

go mod download

ooutput

github.com/StackExchange/[email protected]: verifying module: checksum mismatch
	downloaded: h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
	gosum.io: h1:BfLCNdXnvwgy5RrRI3IyQ64ZItZngXHN+7PxU5RvKxA=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.

[hxzhao527]

it should be

github.com/StackExchange/wmi v1.2.0 h1:noJEYkMQVlFCEAc+2ma5YyRhlfjcWfZqk5sBRYozdyM=
github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=

maybe the version(git tag) v1.2.0 released twice or more.

gosum.io didn't get this change, so it keep the old check-sum.