nerdctl: v1.0.0: checksum mismatch when running go mod vendor (`nydus-snapshotter@v0.3.0`); main: (`accelerated-container-image@v0.5.2`)

Description

Working on updating the Buildroot package for nerdctl.

We run ‘go mod vendor’ to download the vendor/ tree.

The following error happens on my build machine:

verifying github.com/containerd/nydus-snapshotter@v0.3.0: checksum mismatch
        downloaded: h1:IhG/jkmFKenwAeHNHqLFMfSwNs3pfdH36xd5lpr5PS0=
        go.sum:     h1:15z2Bslu1A7oi++vByV6cTIFzoSjvOGScVCU2y6bRdA=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

I guess the checksum of nydus-snapshotter has changed?

If so please release a v1.0.1 with updated checksums.

Steps to reproduce the issue

  1. Run “go mod vendor”

Describe the results you received and expected

Expected “go mod vendor” to work correctly.

What version of nerdctl are you using?

v1.0.0

Are you using a variant of nerdctl? (e.g., Rancher Desktop)

None

Host information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (11 by maintainers)

Most upvoted comments

@AkihiroSuda Updated the note https://github.com/containerd/nydus-snapshotter/releases/tag/v0.3.0, could we need to release v1.0.1 to fix it?

Thanks. I’m going to release v1.1.0 soon.

@paralin @AkihiroSuda Sorry for causing the inconvenience, we accidentally re-tag the nydus-snapshotter v0.3.0 version before (the go proxy server cached the version), and it was upgraded in #1457.

Thanks @imeoer for confirmation 👍 . Could you consider updating https://github.com/containerd/nydus-snapshotter/releases/tag/v0.3.0 to note that the tag was reused?