On 2024/12/21 12:07, Laurent Cheylus wrote: > Hi Lucas, > > ----- Mail original ----- > > On Fri, Dec 20, 2024 at 06:54:33PM +0100, Laurent Cheylus wrote: > > > simple update for security/osv-scanner to the latest version 1.9.2. > > > > Hm, I wonder if a release was rerolled by Github... > > > > -SHA256 (go_modules/github.com/magefile/mage/@v/v1.14.0.zip) = > > dfE+gCoqyNKe6llvIb48Q6+UAtGdSzLAOfrKiiL3hBE= > > +SHA256 (go_modules/github.com/magefile/mage/@v/v1.14.0.zip) = > > Dq599v96JaaeC3jIqMqjAul+5dYExl/K2vVdKbvewhI= > > Sorry, I don't know why I have this checksum error for this file (same error > with my last update of devel/goreleaser port) :( > > Regen the correct distinfo file : make distclean && make makesum
Please don't just do that. Save the old file first, fetch the new and compare the two (or put them somewhere so somebody else can). There will be a reason why the files are different, for various different ports these can include: - distribution site or repository has had malicious changes - distribution site or repository has had intentional changes but done in a non-transparent way (commits pushed to a tag, re-rolled tars, etc) - on-the-fly generated files which differ between different fetches (either they're just not consistent at all, or depend of software versions which are different on different clusters in a distributed system, or change after some further commits e.g short hashes can get lengthened if there's a collision) in any event comparing the files will give us some ideas about why, and whether that upstream / distribution site / etc is reliable. AFAIK the go proxy thing is _supposed_ to be checking hashes so this is really not meant to happen for those files.
