[BUG]: dependencies of 4.3.0 not buildable from source

[eikemeier]

What version of Badger are you using?

v4.3.0

What version of Go are you using?

go1.23.2

Have you tried reproducing the issue with the latest release?

Yes

What is the hardware spec (RAM, CPU, OS)?

n/a

What steps will reproduce the bug?

go mod init example.com/badger-test

Add a file main.go:

package main

import (
	"fmt"

	"github.com/dgraph-io/badger/v4"
)

func main() {
	fmt.Println(badger.ErrDBClosed)
}

go get github.com/dgraph-io/badger/v4@v4.3.0
go mod tidy
fgrep github.com/dgraph-io/badger/v4 go.sum

You'll end ups with a go.mod containing:

github.com/dgraph-io/badger/v4 v4.3.0 h1:lcsCE1/1qrRhqP+zYx6xDZb8n7U+QlwNicpc676Ub40=
github.com/dgraph-io/badger/v4 v4.3.0/go.mod h1:Sc0T595g8zqAQRDf44n+z3wG4BOqLwceaFntt8KPxUM=

Now clean the module cache and try to build from source:

go clean -modcache
env GOPRIVATE=github.com/dgraph-io/badger go run .

go: downloading github.com/dgraph-io/badger/v4 v4.3.0
verifying github.com/dgraph-io/badger/v4@v4.3.0: checksum mismatch
downloaded: h1:JZ8tapVYg+6sFQqg+BOokAxX+t09UeVPsPoXIq7jlNg=
go.sum: h1:lcsCE1/1qrRhqP+zYx6xDZb8n7U+QlwNicpc676Ub40=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

Expected behavior and actual result.

The program should be buildable from source. Affects https://github.com/dgraph-io/dgraph v24.0.4:

https://github.com/dgraph-io/dgraph/blob/v24.0.4/go.sum#L143-L144

Additional information

The tagged version depends on github.com/google/flatbuffers v24.3.25+incompatible in go.mod while the version in the sumdb depends on github.com/google/flatbuffers v1.12.1.

[mangalaman93]

I followed these exact steps and did not see the error that you mention. Am I missing something?

[eikemeier]

I followed these exact steps and did not see the error that you mention. Am I missing something?

Maybe. Make sure all caches are cleaned between steps.

go clean -cache -modcache; rm go.sum
go get github.com/dgraph-io/badger/v4@v4.3.0
fgrep github.com/google/flatbuffers "$(go env GOMODCACHE)/github.com/dgraph-io/badger/v4@v4.3.0/go.mod"

should give github.com/google/flatbuffers v1.12.1, while

go clean -cache -modcache; rm go.sum
env GOPRIVATE=\* go get github.com/dgraph-io/badger/v4@v4.3.0
fgrep github.com/google/flatbuffers "$(go env GOMODCACHE)/github.com/dgraph-io/badger/v4@v4.3.0/go.mod"

should result in github.com/google/flatbuffers v24.3.25+incompatible.

[kruskall]

This is the same issue as #2113

the 4.3.0 version was "tampered" and should probably be retracted at this point. I think a tag was created and later deleted (can't do this with go versions).

github v4.3.0 tag (https://github.com/dgraph-io/badger/releases/tag/v4.3.0) points at 02d7531

go list -m -json github.com/dgraph-io/badger/v4@v4.3.0 points at 2725dc8

The diff between the two commits looks safe: 2725dc8...02d7531

[mangalaman93]

Apologies for the confusion, working on retracting it. Thanks for filing an issue.

[eikemeier]

Apologies for the confusion, working on retracting it. Thanks for filing an issue.

No problem. I think the proper “fix” would be to move the tag to the correct commit (2725dc8) and investigate why this happened.

Retracting has the effect that everyone can not build dependent projects, like the current github.com/dgraph-io@v24.0.4.