Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-release v0.3.3 as v0.3.4 #127

Closed
bendiknesbo opened this issue Sep 4, 2024 · 5 comments
Closed

Re-release v0.3.3 as v0.3.4 #127

bendiknesbo opened this issue Sep 4, 2024 · 5 comments
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@bendiknesbo
Copy link

bendiknesbo commented Sep 4, 2024

There appears to have been an erroneous release of v0.3.3, where (presumably) commit f21be58 was tagged, instead of f3de1e7.
This has since been corrected, so f3de1e7 is the tagged commit now.

However, modules proxies and mirrors have already managed to get ahold of the erroneous tagged version, and is still distributing that version, while others end up with the correct version.

This leads to security-errors on go get:

verifying github.com/googleapis/[email protected]: checksum mismatch
        downloaded: h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=
        go.sum:     h1:G6q7VHBoU74wQHXFsZSLMPl0rFw0ZDrlZ3rt6/aTBII=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

The official go module proxy recommends to release a new version, and encourage the use of the fixed version:

I removed a bad release from my repository but it still appears in the mirror, what should I do?
Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.

I suggest you bump to v0.3.4, and release that properly.

@bendiknesbo bendiknesbo added priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Sep 4, 2024
@bendiknesbo bendiknesbo changed the title Re-release v0.3.3 Re-release v0.3.3 as v0.3.4 Sep 4, 2024
@niij
Copy link

niij commented Sep 6, 2024

@andyrzhao ^

@andyrzhao
Copy link
Collaborator

Taking a look now. Thanks for the heads up!

@andyrzhao
Copy link
Collaborator

Ok, I've created a PR to bump the version txt to 0.3.4 (used by compiler) #128 After that is merged in, I will cut a 0.3.4 release off of that commit. ETA Monday EOD for the release since code-owners are not available on weekend. Thanks!

@aknuds1
Copy link

aknuds1 commented Sep 10, 2024

This was fixed with version v0.3.4.

@bendiknesbo
Copy link
Author

Thanks, @andyrzhao, for fixing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Development

No branches or pull requests

4 participants