v0.1.1
What's Changed
Full Changelog: v0.1.0...v0.1.1
⚠️ Windows Defender warnings & verifying this release
Windows may flag the native go TUI client: graphite-meter-client.exe (e.g. Trojan:Win32/Wacatac.C!ml or a SmartScreen prompt). This is most likely a false positive — Defender's ML heuristics routinely flag unsigned Go binaries with no download history, and this project has no code-signing certificate. Don't take that on trust: this release is bit-for-bit reproducible, so you can verify it yourself.
1. Verify your download
Checks the archive wasn't corrupted or swapped in transit (checksums.txt covers the archives):
# Linux / macOS
sha256sum -c checksums.txt --ignore-missing# Windows — compare against the matching line in checksums.txt
Get-FileHash .\graphite-meter-client_0.1.1_windows_amd64.zip -Algorithm SHA2562. Rebuild from source and compare
Proves the binary contains exactly the tagged source. Works from any OS (Go cross-compiles deterministically); needs only Git and Go. GOTOOLCHAIN pins the exact release compiler — a different Go version legitimately changes the bytes. core.autocrlf=false and the clean-tree check matter: any modification flips the embedded vcs.modified flag and the hash.
# Linux / macOS
git clone -c core.autocrlf=false https://github.com/zR-JB/graphite-meter
cd graphite-meter && git checkout v0.1.1 && cd go
git status --porcelain # must print nothing
GOTOOLCHAIN=go1.26.4 CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath \
-ldflags "-X github.com/zR-JB/graphite-meter/go/internal/goclient.Version=0.1.1" \
-o graphite-meter-client.exe ./cmd/graphite-meter-client
sha256sum graphite-meter-client.exe# Windows
git clone -c core.autocrlf=false https://github.com/zR-JB/graphite-meter
cd graphite-meter; git checkout v0.1.1; cd go
git status --porcelain # must print nothing
$env:GOTOOLCHAIN="go1.26.4"; $env:CGO_ENABLED="0"; $env:GOOS="windows"; $env:GOARCH="amd64"
go build -trimpath -ldflags "-X github.com/zR-JB/graphite-meter/go/internal/goclient.Version=0.1.1" -o graphite-meter-client.exe ./cmd/graphite-meter-client
Get-FileHash .\graphite-meter-client.exe -Algorithm SHA256Compare against the binary extracted from the release archive (hash the binary, not the zip/tar.gz — archives embed timestamps and never reproduce). Expected hashes for v0.1.1:
7ec6abba846dcb02e58c602097779c765f4d707364f117b900c06e6ec379e018 windows/amd64 graphite-meter-client.exe
302637289ee7bb84773e6f64a9e300a9afb8278856ee7d49272161272e0fb060 linux/amd64 graphite-meter-client
d1756f9c91a6c5c432634e1ffc08ac50d003113b83f9d5afea71c4cf7891fcd2 linux/arm64 graphite-meter-client
347709f591330543e1ab0eb5da83eb88f1aad246679f08d56881443a08442cd0 darwin/amd64 graphite-meter-client
386c2ace0c26beb7d14184050c10c9435b3bf464187cc1f747c272e92a7708c2 darwin/arm64 graphite-meter-client
For other platforms, change GOOS/GOARCH and drop the .exe. If a hash differs, go version -m <binary> prints every build input (compiler, vcs.revision, vcs.modified, all dependency checksums) — the differing line is your explanation.
3. Audit the code and dependencies
The client is small: go/cmd/graphite-meter-client + go/internal/goclient — no os/exec, no telemetry, no network destination beyond the server URL you pass it. Four direct dependencies (Charm Bubble Tea TUI stack, coder/websocket, santhosh-tekuri/jsonschema), all hash-pinned in go/go.sum and verified against Go's public checksum transparency log on every build. cd go && GOOS=windows go mod why -m <module> explains why any dependency is present. The pipeline (release.yml) uses SHA-pinned actions and only publishes tags merged to main.