Background
Repo github.com/Isan-Rivkin/surf depends on github.com/opensearch-project/opensearch-go@v2.0.0.
https://github.com/Isan-Rivkin/surf/blob/main/go.mod#L24
However, comparing version v2.0.0 of github.com/opensearch-project/opensearch-go from proxy.golang.org and github, there are inconsistencies.
commit time of the copy on github.com
"committer": {
"name": "Vacha Shah",
"email": "vachshah@amazon.com",
"date": "2022-06-16T17:52:10Z"
}
commit time of the copy on proxy.golang.org
{"Version":"v2.0.0","Time":"2022-06-15T17:15:04Z"}So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v2.0.0 tag of github.com/opensearch-project/opensearch-go might have been retagged after a minor edition on github. Depending upon such inconsistent tag version may result in some unexpected errors as well as build errors due to different proxy settings.
For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/opensearch-project/opensearch-go@v2.0.0, the following errors occur.
go: downloading github.com/opensearch-project/opensearch-go/v2 v2.0.0
go: github.com/opensearch-project/opensearch-go/v2@v2.0.0: verifying module: checksum mismatch
downloaded: h1:iG0+zWWfNQwxUEBcTLEdT3RmVmJohnuT3TJhOSvQI/s=
sum.golang.org: h1:Ij3CpuHwey29cYPVMgi5h1pWBH2O0JaTXsa4c7pqhK4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.So, this is a reminder in the hope that you can get rid of this unreliable version of project github.com/opensearch-project/opensearch-go.
Solution
1. Bump the version of dependency github.com/opensearch-project/opensearch-go
I would recommend bumping the version of github.com/opensearch-project/opensearch-go to a new release to ensure dependency copy in proxy.golang.org and github in sync.
References
Background
Repo
github.com/Isan-Rivkin/surfdepends ongithub.com/opensearch-project/opensearch-go@v2.0.0.https://github.com/Isan-Rivkin/surf/blob/main/go.mod#L24
However, comparing version
v2.0.0ofgithub.com/opensearch-project/opensearch-gofrom proxy.golang.org and github, there are inconsistencies."committer": { "name": "Vacha Shah", "email": "vachshah@amazon.com", "date": "2022-06-16T17:52:10Z" }{"Version":"v2.0.0","Time":"2022-06-15T17:15:04Z"}So the checksum from the code in github does not match the checksum saved in sum.golang.org. The
v2.0.0tag ofgithub.com/opensearch-project/opensearch-gomight have been retagged after a minor edition on github. Depending upon such inconsistent tag version may result in some unexpected errors as well as build errors due to different proxy settings.For example, when someone who does not use proxy.golang.org, say
GOPROXY=direct, attempts to getgithub.com/opensearch-project/opensearch-go@v2.0.0, the following errors occur.So, this is a reminder in the hope that you can get rid of this unreliable version of project
github.com/opensearch-project/opensearch-go.Solution
1. Bump the version of dependency
github.com/opensearch-project/opensearch-goI would recommend bumping the version of
github.com/opensearch-project/opensearch-goto a new release to ensure dependency copy in proxy.golang.org and github in sync.References