Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fully address #82 #83

Closed
wants to merge 1 commit into from
Closed

Fully address #82 #83

wants to merge 1 commit into from

Conversation

StevenACoffman
Copy link
Contributor

@StevenACoffman StevenACoffman commented Aug 3, 2021

Version v1.8.5 had been originally tagged for commit hash that was subsequently removed, and replaced by another commit hash.
Even though the window of time between the two release events was less than 10 minutes, it was enough to get the go mod proxy confused, resulting in errors about mismatched checksums.

sum.golang.org is intended to guarantee that all Go users see the same code for a given module version. There's no way for it to know whether a change to a release was an intentional fix, a mistake, or an attack. Either way, reproducible builds are fundamental goal of the module ecosystem and users should be able to rely on things not changing invisibly.

If you use proxy.golang.org, it will serve you the same data for the version that sum.golang.org saw.

This adds the retract directive to the go.mod file for cockroachdb/errors so retracted versions will be hidden from the version list printed by go list -m -versions unless the -retracted flag is used. Retracted versions are excluded when resolving version queries like @>=v1.2.3 or @latest.

This will also prevent consumers of this library that run go mod verify and go mod download -x from looking at the bad checksum from the older v1.8.5 release after a newer v1.8.7 is published and depended on.

Signed-off-by: Steve Coffman steve@khanacademy.org


This change is Reviewable

Signed-off-by: Steve Coffman <steve@khanacademy.org>
@knz
Copy link
Contributor

knz commented Aug 5, 2021

This fails CI

@StevenACoffman
Copy link
Contributor Author

Ah, crud! I forgot the retract directive was only introduced in Go 1.16, so this would break in Go 1.15 and earlier. Ok, thanks for your patience. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants