sum.golang.org: a way to delete faulty versions

[bep]

Ref. gohugoio/hugo#9785

I had a CI server melting down on me several times, so I did what most people do, adjust the build script, commit, delete the remote tag and try again .

But, of course, in that time someone had "go getted" the software and it was published to the gosum database.

I understand that one in a perfect world one would increment some minor version is this shit happens, but hell freezes over before I spend my holiday time implementing that into my release schedule. So, as it is now, the hugo latest isn't gettable until the next version happen to happen.

I have searched, but not found, a way to delete a version from the gosumdb, which, I think is needed.

[dmitshur]

The mechanism to retract a bad (or accidental) module version is by using the retract directive, it is described at https://go.dev/blog/go116-module-changes#module-retraction.

As also mentioned there, "To keep module builds deterministic, a version cannot be modified after it is published." I understand that publishing was unintentional in this instance, and I hope you'll be able to find a way to reduce the possibility of that happening. The design described in https://go.dev/ref/mod#checksum-database and https://go.dev/design/25530-sumdb is not compatible with deletion requests to be made, so if a module version is publicly accessible from the origin server (even for a brief moment) then any additional fixes do need to be published as new versions.

Please also see "I removed a bad release from my repository but it still appears in the mirror, what should I do?" at https://proxy.golang.org/.