Difficulties downloading v0.2.0

[Deleplace]

The release v0.2.0 clearly mentions:

• the tag name v0.2.0
• the commit id e436cb1
• the breaking change "constructors no longer returns an error" e.g. NewConstant now returns a single value
• the potentially breaking change "Automatically unwrap"

I confirm that the code at tag v0.2.0 / commit e436cb1 does include the new signature for NewConstant, as viewed in the GitHub web UI.

However, when downloading v0.2.0 with go get (with a recent enough version of go), the downloaded code

• includes the "Automatically unwrap" change
• doesn't include the "constructors no longer returns an error"!

Here is a full repro from Cloud Shell:

deleplace@cloudshell:~$ go version
go version go1.17.2 linux/amd64

deleplace@cloudshell:~$ go get github.com/sethvargo/[email protected]                                                                                                                                 
go: downloading github.com/sethvargo/go-retry v0.2.0

deleplace@cloudshell:~$ cat gopath/pkg/mod/github.com/sethvargo/[email protected]/retry.go | grep -A2 "if stop"                                                                                       
                if stop {
                        return rerr.Unwrap()
                }

deleplace@cloudshell:~$ cat gopath/pkg/mod/github.com/sethvargo/[email protected]/backoff_constant.go | grep "func NewConstant"
func NewConstant(t time.Duration) (Backoff, error) {

This is tricky.

I don't know the root cause of the problem. Might be a nasty bug in the go module tooling, or the way we use it. @sethvargo do you remember if you created the tag v0.2.0 first at commit 2ee2801, then deleted it and created it anew at commit e436cb1?

[cideM]

I got the following error from the CI pipeline of a branch where the dependency was automatically updated:

[2022-01-04T03:15:29.531Z] #11 9.386 verifying github.com/sethvargo/[email protected]: checksum mismatch
[2022-01-04T03:15:29.531Z] #11 9.386 	downloaded: h1:exfyQcFOOpUZ5fGciVj3iij5ilBo9oDeNo/kLj0ijS4=
[2022-01-04T03:15:29.531Z] #11 9.386 	go.sum:     h1:DCx92rkKH4xFulbIQR1izw6h3KxJWb1lyS2sxfr7SgQ=
[2022-01-04T03:15:29.531Z] #11 9.386 
[2022-01-04T03:15:29.531Z] #11 9.386 SECURITY ERROR
[2022-01-04T03:15:29.531Z] #11 9.386 This download does NOT match an earlier download recorded in go.sum.
[2022-01-04T03:15:29.531Z] #11 9.386 The bits may have been replaced on the origin server, or an attacker may
[2022-01-04T03:15:29.531Z] #11 9.386 have intercepted the download attempt.
[2022-01-04T03:15:29.531Z] #11 9.386 
[2022-01-04T03:15:29.531Z] #11 9.386 For more information, see 'go help module-auth'.
[2022-01-04T03:15:32.051Z] #11 ERROR: executor failed running [/bin/sh -c go mod download]: exit code: 1

Not sure if or how this helps but it seems somewhat relevant

[Deleplace]

Thanks Florian

I suggest the v0.2.0 be retracted.

[sethvargo]

Hmm - I'm not sure what happened, but this is the second time on one of my projects where the module differs. I just retracted v0.2.0 and cut v0.2.1.

[github-actions]

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.