github.com/go-openapi/[email protected] checksum broken

[jonathanwin]

Hi,

It looks like the v0.20.5 tag of github.com/go-openapi/spec has been rewritten when v0.20.6 was released, causing "go get github.com/swaggo/http-swagger" to fail for all versions since v1.2.7 inclusive:

go-openapi/spec#156

$ go get github.com/swaggo/http-swagger
go: github.com/swaggo/[email protected] requires
        github.com/go-openapi/[email protected]: verifying go.mod: checksum mismatch
        downloaded: h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
        sum.golang.org: h1:QbfOSIVt3/sac+a1wzmKbbcLXm5NdZnyBZYtCijp43o=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Unless the go-openapi/[email protected] tag can be fixed rapidly, maybe this warrants a v1.3.1 release that upgrades to go-openapi/[email protected] ?

[ubogdan]

I can't reproduce the issue. I think we are fine with the dependency upgrade.

[ubogdan]

@jonathanwin v1.3.1 released. Please confirm everything is fine now.

[jonathanwin]

Thanks a lot ! v1.3.1 works fine :-)

Turns out proxy.golang.org has the "original" v0.20.5 that corresponds to the checksum at sum.golang.org, so the issue only shows when GOPROXY=direct (or when proxy.golang.org is unreachable), while still using sum.golang.org.

\o/