Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version v1.8.5 had been originally tagged for commit hash that was subsequently removed, and replaced by another commit hash.
Even though the window of time between the two release events was less than 10 minutes, it was enough to get the go mod proxy confused, resulting in errors about mismatched checksums.
sum.golang.org is intended to guarantee that all Go users see the same code for a given module version. There's no way for it to know whether a change to a release was an intentional fix, a mistake, or an attack. Either way, reproducible builds are fundamental goal of the module ecosystem and users should be able to rely on things not changing invisibly.
If you use proxy.golang.org, it will serve you the same data for the version that sum.golang.org saw.
This adds the retract directive to the
go.mod
file for cockroachdb/errors so retracted versions will be hidden from the version list printed bygo list -m -versions
unless the-retracted
flag is used. Retracted versions are excluded when resolving version queries like@>=v1.2.3
or@latest
.This will also prevent consumers of this library that run
go mod verify
andgo mod download -x
from looking at the bad checksum from the older v1.8.5 release after a newer v1.8.7 is published and depended on.Signed-off-by: Steve Coffman steve@khanacademy.org
This change is