Golang sum.golang.org: Update hash of github.com/xmppo/go-xmpp

Dear all,

I realized I didn't update the version string for github.com/xmppo/go-xmpp, so I quickly deleted the tag, updated it and pushed again. Now I realized that the checksum server already picked the tag in the short time before it got replaced:

go: downloading github.com/xmppo/go-xmpp v0.2.15
go: github.com/xmppo/go-xmpp@latest: github.com/xmppo/go-xmpp@v0.2.15: verifying module: checksum mismatch
    downloaded: h1:eFwqIow0KiRW3gr+ZCHcL2Q7zD3VNDMoIV72Ik0Kew8=
    sum.golang.org: h1:U6OjfMAb47jSKWkxXp7D+yNolEX4Acj2uOJ/p5AaCOs=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Is there a way to trigger an update?

Best regards, Martin

Comment From: Zxilly

Mostly you should not delete and re-create a tag. Instead, you can yank the broken version and create a new tag for that.

Comment From: gabyhelp

Related Issues

• cmd/go: checksum mismatch lacks resolution information #33665 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

Comment From: thediveo

the idea of the hash is that it is immutable, otherwise we could ditch the whole exercise as useless. "But we're the good" has always been a travesty.

Comment From: dmitshur

In the general case, the moment a tag is published, it's not viable to modify its contents without potentially causing problems. Instead, it's possible for you to publish a newer version that corrects the issue you found shortly after publishing, and retract the problematic v0.2.15 version. See https://go.dev/blog/go116-module-changes#module-retraction and https://go.dev/ref/mod#go-mod-file-retract.