[GH-ISSUE #318] Security Error when obtaining this package as a library #787

New issue

Open

opened 2026-03-15 21:34:38 +03:00 by kerem · 3 comments

kerem commented 2026-03-15 21:34:38 +03:00

Owner

Copy link

Originally created by @rockyprabowo on GitHub (Dec 5, 2023).
Original GitHub issue: https://github.com/hibiken/asynqmon/issues/318

I can't download this package latest tag/release due to security error below.

$ go get github.com/hibiken/asynqmon
go: downloading github.com/hibiken/asynqmon v0.7.2
go: github.com/hibiken/asynqmon@v0.7.2: verifying module: checksum mismatch
        downloaded: h1:EfLRppj5GlklMPzdCjdonpXz/D23meW0Pk6NAtkOPhw=
        sum.golang.org: h1:YohWgTIPwtMyZ6khBDcVUz9BdSdQW2Dxn8SoxtbmjSg=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

I have to specify the last commit before the v0.7.2 tag in order to use this library.

Originally created by @rockyprabowo on GitHub (Dec 5, 2023). Original GitHub issue: https://github.com/hibiken/asynqmon/issues/318 I can't download this package latest tag/release due to security error below. ``` $ go get github.com/hibiken/asynqmon go: downloading github.com/hibiken/asynqmon v0.7.2 go: github.com/hibiken/asynqmon@v0.7.2: verifying module: checksum mismatch downloaded: h1:EfLRppj5GlklMPzdCjdonpXz/D23meW0Pk6NAtkOPhw= sum.golang.org: h1:YohWgTIPwtMyZ6khBDcVUz9BdSdQW2Dxn8SoxtbmjSg= SECURITY ERROR This download does NOT match the one reported by the checksum server. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt. For more information, see 'go help module-auth'. ``` I have to specify the last commit before the `v0.7.2` tag in order to use this library.

kerem commented 2026-03-15 21:34:44 +03:00

Author

Owner

Copy link

@hiredman commented on GitHub (Dec 15, 2023):

I think what is going on here is asynqmon v0.7.2 hasn't actually been released. The most recent release in the github releases appears to be v0.7.1, but the tag for v0.7.2 exists and is maybe getting moved to match HEAD of master until such time as v0.7.2 is released (this is speculation based the github release pages and looking at what proxy.golang.org has cached for asynqmon v0.7.2 vs. what the tag currently points at here on github, so I know that the tag has changed once and doesn't appear to be "released").

This pattern of changing what a tag points to completely breaks proxy.golang.org and sum.golang.org, so is maybe not a good idea

<!-- gh-comment-id:1858567937 --> @hiredman commented on GitHub (Dec 15, 2023): I think what is going on here is asynqmon v0.7.2 hasn't actually been released. The most recent release in the github releases appears to be v0.7.1, but the tag for v0.7.2 exists and is maybe getting moved to match HEAD of master until such time as v0.7.2 is released (this is speculation based the github release pages and looking at what proxy.golang.org has cached for asynqmon v0.7.2 vs. what the tag currently points at here on github, so I know that the tag has changed once and doesn't appear to be "released"). This pattern of changing what a tag points to completely breaks proxy.golang.org and sum.golang.org, so is maybe not a good idea

kerem commented 2026-03-15 21:34:49 +03:00

Author

Owner

Copy link

@livingston0318 commented on GitHub (Jul 1, 2024):

Same issue, as I use failoverclientOpt, I can't back to v0.7.1, any idea how I can use it?

<!-- gh-comment-id:2199264616 --> @livingston0318 commented on GitHub (Jul 1, 2024): Same issue, as I use failoverclientOpt, I can't back to v0.7.1, any idea how I can use it?

kerem commented 2026-03-15 21:34:54 +03:00

Author

Owner

Copy link

@livingston0318 commented on GitHub (Jul 1, 2024):

Same issue, as I use failoverclientOpt, I can't back to v0.7.1, any idea how I can use it?

I set GOPROXY As https://proxy.golang.org,direct and then， run go mod tidy，it works

<!-- gh-comment-id:2199285580 --> @livingston0318 commented on GitHub (Jul 1, 2024): > Same issue, as I use failoverclientOpt, I can't back to v0.7.1, any idea how I can use it? I set GOPROXY As https://proxy.golang.org,direct and then， run go mod tidy，it works

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

dependabot/npm_and_yarn/ui/react-redux-8.0.5

dependabot/npm_and_yarn/ui/typescript-4.9.5

dependabot/npm_and_yarn/ui/testing-library/user-event-14.4.3

dependabot/npm_and_yarn/ui/testing-library/jest-dom-5.16.5

dependabot/npm_and_yarn/ui/react-syntax-highlighter-15.5.0

refactor/generic-tasks-table

refactor/generic-tasks

v0.7.2

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.2

v0.3.1

v0.3.0

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1-beta2

v0.1-beta1

v0.1-alpha2

v0.1-alpha

Labels

Clear labels   

documentation

  

enhancement

  

enhancement

  

good first issue

  

pull-request

Mirrored from GitHub Pull Request

No labels

documentation

enhancement

enhancement

good first issue

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/asynqmon#787

No description provided.