The MongoDB Go Driver Team is pleased to release version 1.13.0 of the MongoDB Go Driver.
This release enhances logging, search index management, and command events. This release also introduces smarter server selection for sharded clusters, optimizing retry selection. Additionally, we streamline resource usage on FaaS platforms by disabling streaming SDAM and introduce the serverMonitoringMode=stream/poll/auto URI option. For more information please see the 1.13.0 release notes.
You can obtain the driver source from GitHub under the v1.13.0 tag.
$ go get go.mongodb.org/mongo-driver
go: downloading go.mongodb.org/mongo-driver v1.13.0
go: go.mongodb.org/mongo-driver@v1.13.0: verifying module: checksum mismatch
downloaded: h1:c+OsvIAc3LCdc9dcfowGjT2bWjvLOccxhdguqHJUvbo=
sum.golang.org: h1:67DgFFjYOCMWdtTEmKFpV3ffWlFnh+CYZ8ZS/tXWUfY=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
@Preston_Vasquez thanks for the reply.
I’m running into some voodoo stuff…
In my company we use GOPROXY=proxy.golang.org,direct to be able to pull private repositories from github. When I ran GOPROXY= go get go.mongodb.org/mongo-driver it did finish successfully, then when I ran go get go.mongodb.org/mongo-driver again it succeeded again. Not sure how go mod works internally that explains this behavior and which checksum cache caused the problem in the first place.
To your question, I tried this exact stackoverflow answer, cleaned up local cache and still ran into this problem. I also asked several peers and they all reported the same thing. This is why I posted here but since no one else reports the same thing for almost a week, I think it might be related to our GOPROXY and GOPRIVATE overrides. I’ll try further investigating in relevant go mod related places.
@Aviv_Carmi@Preston_Vasquez I am also facing the same issue. Apparently, the checksum with 1.13.0 version is messed up. In the releases i see that version 1.12.2 was released after the 1.13.0 perhaps contributing to the checksum issues we are facing. I have reverted back to the older version to fix my issue. Please have a look at it, doesn’t seem to be an issue only with GOPROXY and GOPRIVATE overrides.
You should be able to reliably reproduce this issue like this:
$ go clean -modcache
$ GOPROXY=direct go mod download -x go.mongodb.org/mongo-driver@v1.13.0
The v1.13.0 tag seems to have been “moved”, and proxy.golang.org just happens to have seen the first attempt.
The snippet above downloads the current (presumably retagged) content, but compares it to the checksum in sum.golang.org (which is the old one). So ⇒
You can also compare the contents of the repo at the current v1.13.0 to the zip downloaded from proxy.golang.org and verify that they indeed do differ.
The data for v1.13.0 on proxy.golang.org doesn’t match the VCS tag. We plan to retract v1.13.0 and release v1.13.1 next Tuesday, possibly sooner. We are aware of the impact and apologize for the inconvenience. In the meantime, please use v1.12.2 instead.
v1.13.1 has been released and v1.13.0 is retracted.
We discovered that the v1.13.0 Github tag was modified due to a bug in our release scripts, which is what lead to the security error when downloading the Go module. The original tag does not include all changes intended for v1.13.0 and should not be used. Please use version 1.13.1 or higher.
Thank you for your patience and we apologize for any problems this created!
