Thank you for your answers! This is definitely not in the cache, because the problem exists everywhere, including new containers and new cloud instances.
I can test it with 1.14 and 1.15 too; I don't think that the problem is specific for 1.13 only. You say, that the security error is correct: but how can it be then it is detected by only one of the Go versions and is ignored by the other? On Monday, August 16, 2021 at 7:57:49 PM UTC+2 jayc...@google.com wrote: > This doesn't seem like a problem with Go versions. The security error is > correct. It looks like the module author tagged v1.1.1 with this go.mod > file <https://proxy.golang.org/github.com/tredoe/osutil/@v/v1.1.1.mod> then > changed the tag to point to a different commit with this file > <https://github.com/tredoe/osutil/blob/v1.1.1/go.mod>. > > The file on proxy.golang.org is hashed and included in the checksum > database. It looks like the hash > <https://sum.golang.org/lookup/github.com/tredoe/osutil@v1.1.1> there is > h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA=. > That's the correct one to put in go.sum. > > The incorrect version may still be in your module cache. You can remove it > with `go clean -modcache` (though this will remove everything else there, > too). > > On Mon, Aug 16, 2021 at 9:19 AM Ian Lance Taylor <ia...@golang.org> wrote: > >> On Mon, Aug 16, 2021 at 9:11 AM Igor Chubin <ig...@chub.in> wrote: >> > >> > When I generate `go.sum` with go 1.16, and try to build it with go of a >> different version (1.13 in my case), I get `SECURITY ERROR`: >> > >> > ``` >> > verifying github.com/tredoe/osu...@v1.1.1/go.mod >> <http://github.com/tredoe/osutil@v1.1.1/go.mod>: checksum mismatch >> > downloaded: h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA= >> > go.sum: h1:wHEjPMepmXQXkZhf9H4sQcCtmC45KuFo5VR97zG9/dY= >> > >> > SECURITY ERROR >> > This download does NOT match an earlier download recorded in go.sum. >> > The bits may have been replaced on the origin server, or an attacker may >> > have intercepted the download attempt. >> > >> > For more information, see 'go help module-auth'. >> > ``` >> > >> > Then I fix (remove the entry and run `go mod tidy`) `go.sum` and try to >> build it again. It works with 1.13, but the problem appears then with 1.16. >> > >> > So there should be some incompatibility between Go 1.13 and 1.16 (not >> sure exactly when it was introduced, so don't know about 1.14 and 1.15). >> > >> > Currently, as a workaround, I added this to my build scripts: >> > >> > ``` >> > sed -i /osutil/d go.sum \ >> > && go mod download github.com/tredoe/osutil >> > ``` >> > >> > but it is not a real solution, of course. >> > >> > How am I supposed to fix this problem? >> >> We no longer support Go 1.13. >> >> You can probably work around this problem temporarily and insecurely >> by setting the GONOSUMDB environment variable. See the mentions of >> GONOSUMDB at https://pkg.go.dev/cmd/go. >> >> Ian >> >> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/golang-nuts/CAOyqgcV56QDp1TXTaNsr%2B1UezWmoMbYRhk8iN58bDRzJq83xkA%40mail.gmail.com >> . >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/a095f4e5-5aa4-40a6-83af-ea87c0c7f39cn%40googlegroups.com.
