On Mon, 18 Nov 2024 09:50:18 +0000, Stuart Henderson
<stu@spacehopper.org> wrote:

> On 2024/11/17 16:57, Daniel Jakots wrote:
> > -SHA256
> > (go_modules/github.com/opencontainers/runtime-spec/@v/v1.0.3-0.20210326190908-1c3f411f0417.zip)
> > = UZfLJPT50pKHqy+G1K1G4ZodBClAsVbUWLMM4rZBzl4= +SHA256
> > (go_modules/github.com/opencontainers/runtime-spec/@v/v1.0.3-0.20210326190908-1c3f411f0417.zip)
> > = 30GPtQucdabapkjPIwr1RMfBILkozfa/I5N9c37uIc4=
> > 
> > As far as I know this zip comes from google's Athena go stuff, so
> > it's not subject to github's artifact changing depending which node
> > you ask.  
> 
> afaik that is just a caching proxy, so if the github file changes, so
> would the athena file.

https://go.dev/ref/mod#checksum-database

> The checksum database allows for global consistency and reliability
> for all publicly available module versions. It makes untrusted
> proxies possible since they can’t serve the wrong code without it
> going unnoticed. It also ensures that the bits associated with a
> specific version do not change from one day to the next, even if the
> module’s author subsequently alters the tags in their repository.

> as usual with a mismatching hash, it would be interesting to compare
> the files and see what changed.

of course :)