Follow-up to #41 #43
Comments
|
Hi @SgtCoDFish, thank you for clarification. |
|
Thanks for confirming @pavlo-v-chernykh ! Much appreciated - these things happen. No big deal! Thanks for maintaining the library ❤️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @pavlo-v-chernykh !
First of all, thank you for cutting a new tag in response to #41! We've been pretty happy using your library in https://github.com/cert-manager/cert-manager, and it handles the problem of writing JKS files well for us.
I just wanted to follow up on what led to #41 being raised. It looks like the published tag for v4.4.0 was modified after it was pushed. For comparison, I downloaded the module from the official GOPROXY (https://proxy.golang.org/) and then downloaded 4.4.1 (which now points to the same commit as 4.4.0), and I saw they were different. I detailed that in this comment.
That to me means that the GOPROXY observed the old version at tag 4.4.0 and cached it, and then the tag was changed afterwards.
In turn, this means that the GOSUMDB (https://sum.golang.org/) will always fail to validate 4.4.0. Instructions to reproduce this are provided in this comment.
My question is: Do you know what happened here to cause this? I totally understand if it was an honest mistake - these things happen! I'm asking because these kinds of tag changes are really destructive for any project which depends on yours, because it means our old versions will no longer build unless checksum validation is disabled (which as a security project we're not going to do, for obvious reasons!).
The text was updated successfully, but these errors were encountered: