go.sum: Fix checksum mismatch #131

jtojnar · 2020-02-13T08:25:03Z

jtojnar commented

2020-02-13 08:25:03 +00:00

Description

It produced an error for me:

$ go mod download
[…]
verifying github.com/go-xorm/tests@v0.5.6: checksum mismatch
        downloaded: h1:T2xw6s+shmSXqNjEPMCMOG6V0vYhJNgjpgmtNzgetuI=
        go.sum:     h1:E4nmVkKfHQAm+i2/pmOJ5JUej6sORVcvwl6/LQybif4=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

Checklist

I added or improved tests
I pushed new or updated dependencies to the repo using go mod vendor
I added or improved docs for my feature
- Swagger (including make do-the-swag)
- Error codes
- New config options

# Description It produced an error for me: ``` $ go mod download […] verifying github.com/go-xorm/tests@v0.5.6: checksum mismatch downloaded: h1:T2xw6s+shmSXqNjEPMCMOG6V0vYhJNgjpgmtNzgetuI= go.sum: h1:E4nmVkKfHQAm+i2/pmOJ5JUej6sORVcvwl6/LQybif4= SECURITY ERROR This download does NOT match an earlier download recorded in go.sum. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt. ``` # Checklist * [ ] I added or improved tests * [ ] I pushed new or updated dependencies to the repo using `go mod vendor` * [ ] I added or improved docs for my feature * [ ] Swagger (including `make do-the-swag`) * [ ] Error codes * [ ] New config options

shilch commented

2020-02-13 21:16:42 +00:00

I'm a bit confused where the mismatch comes from. Do we have both file trees of that dependency and can do a diff check?

konrad commented

2020-02-13 21:17:50 +00:00

This seems to be an issue with the module itself, it also fails when creating a new project and go geting github.com/go-xorm/tests. I'll try to check this with the creator of the package.

If you only want to build the api, you should be able to use the committed dependencies in the vendor/ folder with the -mod=vendor flag. Alternatively, you can use the Makefile, take a look at the makefile docs

This seems to be an issue with the module itself, it also fails when creating a new project and `go get`ing `github.com/go-xorm/tests`. I'll try to check this with the creator of the package. If you only want to build the api, you should be able to use the committed dependencies in the `vendor/` folder with the `-mod=vendor` flag. Alternatively, you can use the Makefile, take a look at [the makefile docs](https://vikunja.io/docs/makefile/)

konrad commented

2020-02-13 21:18:31 +00:00

I'm a bit confused where the mismatch comes from. Do we have both file trees of that dependency and can do a diff check?

@shilch Yes, they are located in vendor/.

> I'm a bit confused where the mismatch comes from. Do we have both file trees of that dependency and can do a diff check? @shilch Yes, they are located in `vendor/`.

jtojnar commented

2020-02-13 21:24:53 +00:00

I'm a bit confused where the mismatch comes from. Do we have both file trees of that dependency and can do a diff check?

I do not see github.com/go-xorm/tests in the vendor directory so I am not sure with what I should diff it.

If you only want to build the api, you should be able to use the committed dependencies in the vendor/ folder with the -mod=vendor flag. Alternatively, you can use the Makefile, take a look at the makefile docs

I am trying to package Vikunja for NixOS distro and using vendored dependencies is discouraged in our policies.

> I'm a bit confused where the mismatch comes from. Do we have both file trees of that dependency and can do a diff check? I do not see `github.com/go-xorm/tests` in the vendor directory so I am not sure with what I should diff it. > If you only want to build the api, you should be able to use the committed dependencies in the `vendor/` folder with the `-mod=vendor` flag. Alternatively, you can use the Makefile, take a look at the makefile docs I am trying to package Vikunja for NixOS distro and using vendored dependencies is discouraged in our policies.

konrad commented

2020-02-13 21:25:34 +00:00

It seems like the original repo has been archived since, but we don't even have that in vendor... i wonder why it even appears in the go.sum file.

It seems like the original repo has been archived since, but we don't even have that in vendor... i wonder why it even appears in the `go.sum` file.

konrad commented

2020-02-13 21:28:00 +00:00

I am trying to package Vikunja for NixOS distro and using vendored dependencies is discouraged in our policies.

Yeah, I can see all the disatavanteges it brings, and it most certainly is not a solution. The committed dependencies are back from when there was no such thing as GOPROXY to backup dependencies.

Packaging Vikunja for nixos is great! I'm also using nix as my main distro, you can ping me once you have the pr ready and I'll take a look :)

> I am trying to package Vikunja for NixOS distro and using vendored dependencies is discouraged in our policies. Yeah, I can see all the disatavanteges it brings, and it most certainly is not a solution. The committed dependencies are back from when there was no such thing as `GOPROXY` to backup dependencies. Packaging Vikunja for nixos is great! I'm also using nix as my main distro, you can ping me once you have the pr ready and I'll take a look :)

konrad commented

2020-02-13 21:31:22 +00:00

It seems like the xorm path has been moved and updated since the version I've put in Vikunja has been released. I'll update xorm in a seperate PR, maybe that also fixes the issue here.

konrad referenced this pull request

2020-02-13 21:55:59 +00:00

Update xorm to use the new import path #133

konrad commented

2020-02-14 16:35:17 +00:00

I've updated xorm, can you pull and try again?