Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency checksum mismatch in Google sumdb. #2683

Closed
4 tasks done
chrisdoherty4 opened this issue Mar 25, 2022 · 3 comments · Fixed by #2684
Closed
4 tasks done

Dependency checksum mismatch in Google sumdb. #2683

chrisdoherty4 opened this issue Mar 25, 2022 · 3 comments · Fixed by #2684
Labels
bug Something isn't working dependencies Relates to an upstream dependency

Comments

@chrisdoherty4
Copy link

chrisdoherty4 commented Mar 25, 2022
edited
Loading

Welcome

  • Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
  • Yes, I've searched similar issues on GitHub and didn't find any.
  • Yes, I've included all information below (version, config, etc).
  • Yes, I've tried with the standalone linter if available. (https://golangci-lint.run/usage/linters/)

Description of the problem

See blizzy78/varnamelen#13.

There's a checksum mismatch in the golang database for github.com/blizzy78/[email protected]. See 'Verbose output of running' for the golangci-lint install.

The output of installing the dependency directly is as follows.

$ GOPROXY=direct go get github.com/blizzy78/[email protected]
go: downloading github.com/blizzy78/varnamelen v0.6.1
go: github.com/blizzy78/[email protected]: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Version of golangci-lint

latest (1.45.2)

Configuration file

n/a

Go environment

GOPROXY=direct

Verbose output of running

$ GOPROXY=direct go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
go: downloading github.com/blizzy78/varnamelen v0.6.1
/Users/cpd/.go/pkg/mod/github.com/golangci/[email protected]/pkg/golinters/varnamelen.go:7:2: github.com/blizzy78/[email protected]: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Code example or link to a public repository

n/a
@chrisdoherty4 chrisdoherty4 added the bug Something isn't working label Mar 25, 2022
@boring-cyborg
Copy link

boring-cyborg bot commented Mar 25, 2022

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

@ldez ldez self-assigned this Mar 25, 2022
@chrisdoherty4 chrisdoherty4 mentioned this issue Mar 25, 2022
Closed
@chrisdoherty4
Copy link
Author

@ldez You could try downgrading the dep? I was going to try myself to unblock golangci-lint.

@blizzy78
Copy link
Contributor

As mentioned in blizzy78/varnamelen#13 (comment), this is my fault.

I think it should be enough to tag varnamelen's current commit in master with v0.6.2, then use that as a dependency in golangci-lint. There were no functionality changes in between, so v0.6.2 will be the same as the intended v0.6.1.

@blizzy78 blizzy78 mentioned this issue Mar 25, 2022
Merged
@ldez ldez added the dependencies Relates to an upstream dependency label Mar 25, 2022
@ldez ldez removed their assignment Mar 25, 2022
@ldez ldez mentioned this issue Mar 29, 2022
Closed
4 tasks
@kamilsk kamilsk mentioned this issue Apr 10, 2022
Closed
@abhinavmpandey08 abhinavmpandey08 mentioned this issue May 13, 2022
Merged
3 tasks
mergify bot added a commit to tinkerbell/smee that referenced this issue May 13, 2022
@mergify
Upgrade golangci-lint to version v1.46.1 (#272)
ab716aa 
Signed-off-by: Abhinav Pandey <[email protected]>

## Description
Upgrades `golangci-lint` to `v1.46.1`

## Why is this needed
`[email protected]` had a dependency which had invalid checksums most likely because of a re-release golangci/golangci-lint#2683.

This issue was resolved in `v1.46.1`

## How Has This Been Tested?
updated the `golangci-lint` version in go.mod and ran `go mod tidy` and build and verified that it works

## How are existing users impacted? What migration steps/scripts do we need?
No user impact


## Checklist:

I have:

- [ ] updated the documentation and/or roadmap (if required)
- [ ] added unit or e2e tests
- [ ] provided instructions on how to upgrade
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working dependencies Relates to an upstream dependency
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bump varnamelen from v0.6.1 to v0.6.2 blizzy78/golangci-lint
3 participants
@blizzy78 @chrisdoherty4 @ldez