1.1.198 release/tag?

[cfergeau]

What happened?

github.com/anchore/quill had this PR automatically opened by dependabot 2 weeks ago anchore/quill#349 to update to 1.1.198, so there was apparently a 1.1.198 tag at this time? Looking at https://github.com/blacktop/go-macho/tags, there's a 1.1.198 tag but this tag was pushed in the last 24 hours?

In light of the xz hack, I'm trying to understand if that's expected, or if something is off?

How can we reproduce this?

Trying to build github.com/anchore/quill with make build results in

  ⨯ release failed after 0s                  error=failed to build for linux_ppc64le: exit status 1: go: downloading github.com/blacktop/go-macho v1.1.198
verifying github.com/blacktop/go-macho@v1.1.198: checksum mismatch
	downloaded: h1:iCe8aO/oukUuksEuT7rgQOL/kDvMyxZjyc9dvYYUNEs=
	go.sum:     h1:XzLkto28L186FboxM7c7IUhQJvxCK/6J/RdQ6/SPOW4=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

go-macho version

1.1.198

Search

• I did search for other open and closed issues before opening this

Code of Conduct

• I agree to follow this project's Code of Conduct

Additional context

No response

[blacktop]

blacktop/ipsw#445 (comment)

[blacktop]

I'm not 💯 on how I did it but I was playing w/ automating release tag semver and I think I created a bunch of extra tags, then the Go mod server cached them.

So when I tried to update my own use of go-macho to latest it would try and use .198 even though the actual latest was .196 etc

Then I recently added .198 for real, but the Go mod server was using the OLD cached version so I made the dummy .199 tag to get around it as I didn't know how to remove .198 for the cache go.mod server etc

[cfergeau]

Ok, that's a known problem then, thanks!