If you try to build Syncthing from scratch with no module cache in place you get the following:
jb@kvin:~ $ ./build.sh go: downloading github.com/lib/pq v1.2.0 go: downloading github.com/prometheus/client_golang v1.1.0 ... verifying firstname.lastname@example.org: checksum mismatch downloaded: h1:TRbvZ6F++sofeGbh+Z2IIyIOhl8KyGnYuA06g2yrHdI= go.sum: h1:dYHUyB50gEQlK3KqytmNySzuyzAcaQ3iuI2ZReAfVrE= SECURITY ERROR This download does NOT match an earlier download recorded in go.sum. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt.
It seems our module proxy (Athens) did something wrong with this package or the tag moved since it saw it first. It works on the build servers since they have the old/broken package in their module cache and/or use that proxy.
I’m going to have to fix this, and then I suspect the build will break for everyone who has it working today. Yay. The solution at that point seems to be to blow away the module cache (
~/.cache/go-build) and use the default
Currently it works with
GOPROXY=https://build.syncthing.net/athens as it serves the same copy that has been hashed previously.