The MongoDB Go Driver Team is pleased to release version 1.13.0 of the MongoDB Go Driver.
This release enhances logging, search index management, and command events. This release also introduces smarter server selection for sharded clusters, optimizing retry selection. Additionally, we streamline resource usage on FaaS platforms by disabling streaming SDAM and introduce the
serverMonitoringMode=stream/poll/auto URI option. For more information please see the 1.13.0 release notes.
You can obtain the driver source from GitHub under the v1.13.0 tag.
Documentation for the Go driver can be found on pkg.go.dev and the MongoDB documentation site. BSON library documentation is also available on pkg.go.dev. Questions and inquiries can be asked on the MongoDB Developer Community. Bugs can be reported in the Go Driver project in the MongoDB JIRA where a list of current issues can be found. Your feedback on the Go driver is greatly appreciated!
The Go Driver Team
anyone else getting this:
$ go get go.mongodb.org/mongo-driver
go: downloading go.mongodb.org/mongo-driver v1.13.0
go: email@example.com: verifying module: checksum mismatch
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Hi @Aviv_Carmi . I am not getting this locally, which version of Go are you using?
Are you still getting these security errors after trying this solution: Go modules: checksum mismatch - Stack Overflow ?
@Preston_Vasquez thanks for the reply.
I’m running into some voodoo stuff…
In my company we use
GOPROXY=proxy.golang.org,direct to be able to pull private repositories from github. When I ran
GOPROXY= go get go.mongodb.org/mongo-driver it did finish successfully, then when I ran
go get go.mongodb.org/mongo-driver again it succeeded again. Not sure how go mod works internally that explains this behavior and which checksum cache caused the problem in the first place.
To your question, I tried this exact stackoverflow answer, cleaned up local cache and still ran into this problem. I also asked several peers and they all reported the same thing. This is why I posted here but since no one else reports the same thing for almost a week, I think it might be related to our
GOPRIVATE overrides. I’ll try further investigating in relevant
go mod related places.
@Aviv_Carmi @Preston_Vasquez I am also facing the same issue. Apparently, the checksum with 1.13.0 version is messed up. In the releases i see that version 1.12.2 was released after the 1.13.0 perhaps contributing to the checksum issues we are facing. I have reverted back to the older version to fix my issue. Please have a look at it, doesn’t seem to be an issue only with GOPROXY and GOPRIVATE overrides.
You should be able to reliably reproduce this issue like this:
$ go clean -modcache
$ GOPROXY=direct go mod download -x firstname.lastname@example.org
v1.13.0 tag seems to have been “moved”, and
proxy.golang.org just happens to have seen the first attempt.
The snippet above downloads the current (presumably retagged) content, but compares it to the checksum in
sum.golang.org (which is the old one). So ⇒
You can also compare the contents of the repo at the current
v1.13.0 to the zip downloaded from
proxy.golang.org and verify that they indeed do differ.
@Preston_Vasquez we probably need a minor tag to fix this.
6 days later, this is still an issue
The data for v1.13.0 on proxy.golang.org doesn’t match the VCS tag. We plan to retract v1.13.0 and release v1.13.1 next Tuesday, possibly sooner. We are aware of the impact and apologize for the inconvenience. In the meantime, please use v1.12.2 instead.
v1.13.1 has been released and v1.13.0 is retracted.
We discovered that the
v1.13.0 Github tag was modified due to a bug in our release scripts, which is what lead to the security error when downloading the Go module. The original tag does not include all changes intended for v1.13.0 and should not be used. Please use version 1.13.1 or higher.
Thank you for your patience and we apologize for any problems this created!
– The Go Driver Team