Where did you install `go` from and what's the output of `go env` for both versions?
On Tuesday, August 17, 2021 at 8:25:06 AM UTC+2 Igor Chubin wrote: > Thank you for your answers! > > This is definitely not in the cache, because the problem exists everywhere, > including new containers and new cloud instances. > > I can test it with 1.14 and 1.15 too; I don't think that the problem is > specific > for 1.13 only. > > You say, that the security error is correct: but how can it be then it is > detected > by only one of the Go versions and is ignored by the other? > On Monday, August 16, 2021 at 7:57:49 PM UTC+2 jayc...@google.com wrote: > >> This doesn't seem like a problem with Go versions. The security error is >> correct. It looks like the module author tagged v1.1.1 with this go.mod >> file <https://proxy.golang.org/github.com/tredoe/osutil/@v/v1.1.1.mod> then >> changed the tag to point to a different commit with this file >> <https://github.com/tredoe/osutil/blob/v1.1.1/go.mod>. >> >> The file on proxy.golang.org is hashed and included in the checksum >> database. It looks like the hash >> <https://sum.golang.org/lookup/github.com/tredoe/osutil@v1.1.1> there is >> h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA=. >> That's the correct one to put in go.sum. >> >> The incorrect version may still be in your module cache. You can remove >> it with `go clean -modcache` (though this will remove everything else >> there, too). >> >> On Mon, Aug 16, 2021 at 9:19 AM Ian Lance Taylor <ia...@golang.org> >> wrote: >> >>> On Mon, Aug 16, 2021 at 9:11 AM Igor Chubin <ig...@chub.in> wrote: >>> > >>> > When I generate `go.sum` with go 1.16, and try to build it with go of >>> a different version (1.13 in my case), I get `SECURITY ERROR`: >>> > >>> > ``` >>> > verifying github.com/tredoe/osu...@v1.1.1/go.mod >>> <http://github.com/tredoe/osutil@v1.1.1/go.mod>: checksum mismatch >>> > downloaded: h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA= >>> > go.sum: h1:wHEjPMepmXQXkZhf9H4sQcCtmC45KuFo5VR97zG9/dY= >>> > >>> > SECURITY ERROR >>> > This download does NOT match an earlier download recorded in go.sum. >>> > The bits may have been replaced on the origin server, or an attacker >>> may >>> > have intercepted the download attempt. >>> > >>> > For more information, see 'go help module-auth'. >>> > ``` >>> > >>> > Then I fix (remove the entry and run `go mod tidy`) `go.sum` and try >>> to build it again. It works with 1.13, but the problem appears then with >>> 1.16. >>> > >>> > So there should be some incompatibility between Go 1.13 and 1.16 (not >>> sure exactly when it was introduced, so don't know about 1.14 and 1.15). >>> > >>> > Currently, as a workaround, I added this to my build scripts: >>> > >>> > ``` >>> > sed -i /osutil/d go.sum \ >>> > && go mod download github.com/tredoe/osutil >>> > ``` >>> > >>> > but it is not a real solution, of course. >>> > >>> > How am I supposed to fix this problem? >>> >>> We no longer support Go 1.13. >>> >>> You can probably work around this problem temporarily and insecurely >>> by setting the GONOSUMDB environment variable. See the mentions of >>> GONOSUMDB at https://pkg.go.dev/cmd/go. >>> >>> Ian >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "golang-nuts" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to golang-nuts...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/golang-nuts/CAOyqgcV56QDp1TXTaNsr%2B1UezWmoMbYRhk8iN58bDRzJq83xkA%40mail.gmail.com >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/ddcee94d-e09b-46b7-bdfb-50a2d832af09n%40googlegroups.com.
