Re: [go-nuts] go.sum security error

2021-08-17 Thread 'Jay Conrod' via golang-nuts
Ideally `go mod verify` would help in this situation, but it only compares the contents of go.sum against the module cache, and if they're consistent with each other but not the outside world, it won't report an error. I've opened #47752 for this. On Tue

Re: [go-nuts] go.sum security error

2021-08-17 Thread 'Jay Conrod' via golang-nuts
I think the problem is in go.sum. If it already contains an incorrect sum for a module version, the go command will report a security error when downloading that version (if the download has a different sum) or when using that version (if the cached version had a different sum that appeared to be v

Re: [go-nuts] go.sum security error

2021-08-17 Thread Sean Liao
Where did you install `go` from and what's the output of `go env` for both versions? On Tuesday, August 17, 2021 at 8:25:06 AM UTC+2 Igor Chubin wrote: > Thank you for your answers! > > This is definitely not in the cache, because the problem exists everywhere, > including new containers and new

Re: [go-nuts] go.sum security error

2021-08-16 Thread Igor Chubin
Thank you for your answers! This is definitely not in the cache, because the problem exists everywhere, including new containers and new cloud instances. I can test it with 1.14 and 1.15 too; I don't think that the problem is specific for 1.13 only. You say, that the security error is correct:

Re: [go-nuts] go.sum security error

2021-08-16 Thread 'Jay Conrod' via golang-nuts
This doesn't seem like a problem with Go versions. The security error is correct. It looks like the module author tagged v1.1.1 with this go.mod file then changed the tag to point to a different commit with this file

Re: [go-nuts] go.sum security error

2021-08-16 Thread Ian Lance Taylor
On Mon, Aug 16, 2021 at 9:11 AM Igor Chubin wrote: > > When I generate `go.sum` with go 1.16, and try to build it with go of a > different version (1.13 in my case), I get `SECURITY ERROR`: > > ``` > verifying github.com/tredoe/osutil@v1.1.1/go.mod: checksum mismatch > downloaded: h1:fx79htI3WZA9

[go-nuts] go.sum security error

2021-08-16 Thread Igor Chubin
When I generate `go.sum` with go 1.16, and try to build it with go of a different version (1.13 in my case), I get `SECURITY ERROR`: ``` verifying github.com/tredoe/osutil@v1.1.1/go.mod: checksum mismatch downloaded: h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA= go.sum: h1:wHEjPMepmXQXkZhf9