Describe the bug
It looks like tag v0.20.4 was removed and added again, including a few extra commits. However, the first version has already been picked up by proxy.golang.org and sum.golang.org, which now causes issues when using the version
To Reproduce
This "works":
$ GOSUMDB=sum.golang.org GOMODCACHE=$(mktemp -d) GOPROXY=https://proxy.golang.org go mod download github.com/google/[email protected]
This does not work:
$ GOSUMDB=sum.golang.org GOMODCACHE=$(mktemp -d) GOPROXY=direct go mod download github.com/google/[email protected]
go: github.com/google/[email protected]: verifying module: checksum mismatch
downloaded: h1:wQ614GjDrt6MiV9fwIVBdJqmDuup3Fho6QfltIrnNSw=
sum.golang.org: h1:w/Fdj3ef046SdV/GJU69cCnreaLpqbTo1X9XPyHbkd4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Expected behavior
The mod should still match the reported checksum. Not sure if there is anything that can be done other then retagging a new v0.20.5.
Additional context
$ go version
go version go1.24.3 linux/amd64
Describe the bug
It looks like tag v0.20.4 was removed and added again, including a few extra commits. However, the first version has already been picked up by proxy.golang.org and sum.golang.org, which now causes issues when using the version
To Reproduce
This "works":
This does not work:
Expected behavior
The mod should still match the reported checksum. Not sure if there is anything that can be done other then retagging a new v0.20.5.
Additional context