If you try to build Syncthing from scratch with no module cache in place you get the following:
jb@kvin:~ $ ./build.sh
go: downloading github.com/lib/pq v1.2.0
go: downloading github.com/prometheus/client_golang v1.1.0
...
verifying github.com/lucas-clemente/quic-go@v0.12.0: checksum mismatch
downloaded: h1:TRbvZ6F++sofeGbh+Z2IIyIOhl8KyGnYuA06g2yrHdI=
go.sum: h1:dYHUyB50gEQlK3KqytmNySzuyzAcaQ3iuI2ZReAfVrE=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
It seems our module proxy (Athens) did something wrong with this package or the tag moved since it saw it first. It works on the build servers since they have the old/broken package in their module cache and/or use that proxy.
I’m going to have to fix this, and then I suspect the build will break for everyone who has it working today. Yay. The solution at that point seems to be to blow away the module cache (~/go and ~/.cache/go-build) and use the default GOPROXY.
Currently it works with GOPROXY=https://build.syncthing.net/athens as it serves the same copy that has been hashed previously.
If I remove all the cache but leave our go.sum in place, I don’t have any problems. So could it be that the checksum in our go.sum is compatible with the current quic-go, but athens (and google) have an old version and thus fail if there’s no cache?
Turns out I messed something up when “reproducing” - there is no issue if I remove our go.sum. So the problem is in our go.sum (and athens?).
We probably need to change our go.sum to contain the “new” hash and release a new RC with a note that one needs to clear the mod cache if there’s a checksum error on quic-go.
Killed the Athens proxy and told the build server not to use it
Cleared the module cache on all the builders
It now builds using the default Go proxy and sumdb stuff. I’m not going to revive the Athens proxy as it seems to cause issues and isn’t strictly necessary.
I don’t think this warrants a new RC on its own. I’ll make sure it ends up in the release though, if we don’t make any further RCs along the way.
The android release hasn’t happened, so that will be a dev not candidate build without a new rc. I don’t think there’s practical implications except for the displayed version string, so that should be fine.
This is driving me fucking nuts. I have the same problem.
Nuked $GOPATH/pkg, removed the code I have for the package, ran go clean -modcache, still same issue.
I also had this issue last week (6 days ago, to be exact) on a test machine which had a clean copy of master. I simply removed the quic-go entry from go.sum, afterwards everything worked.