v1.0.7 is corrupted

[ldez]

I think the tag has been recreated, so the content of this release is corrupted.
A version of a module should never be recreated.

The content of the module `github.com/lasiar/[email protected]`

.
├── analyzer.go
├── analyzer_test.go
├── cmd
│   └── canonicalheader
│       └── main.go
├── go.mod
├── go.sum
├── LICENCE
├── makefile
├── README.md
└── testdata
    └── src
        ├── alias
        │   ├── alias.go
        │   └── alias.go.golden
        ├── common
        │   ├── common.go
        │   └── common.go.golden
        ├── embedded
        │   ├── embedded.go
        │   └── embedded.go.golden
        ├── global
        │   ├── global.go
        │   ├── global_usage.go
        │   └── global_usage.go.golden
        └── struct
            ├── struct.go
            └── struct.go.golden

10 directories, 19 files

The content of the current tag v1.0.7

.
├── analyzer.go
├── analyzer_test.go
├── cmd
│   ├── canonicalheader
│   │   └── main.go
│   └── initialismer
│       └── main.go
├── go.mod
├── go.sum
├── initialism.go
├── LICENCE
├── makefile
├── README.md
└── testdata
    └── src
        ├── alias
        │   ├── alias.go
        │   └── alias.go.golden
        ├── common
        │   ├── common.go
        │   └── common.go.golden
        ├── embedded
        │   ├── embedded.go
        │   └── embedded.go.golden
        ├── global
        │   ├── global.go
        │   ├── global_usage.go
        │   └── global_usage.go.golden
        ├── initialism
        │   └── initialism.go
        └── struct
            ├── struct.go
            └── struct.go.golden

12 directories, 22 files

Also, one of the PRs has been merged inside a branch v1 and not inside main, I guess it was an attempt not to create a minor release without features.

$ git lgr     
* a8968c0 N - (tag: v1.0.7, origin/v1, v1) fix: allow well-known headers
* 585255d N - fix: allow well-known headers
| * 57eee15 N - (origin/fix/v1/initialism) fix: allow well-known headers
| * f4b9653 N - fix: allow well-known headers
|/  
| * 2c04f9a N - (HEAD -> main, origin/main, origin/HEAD) fix(analyzer): check function assign.
| * d8d1e01 N - chore(deps): bump linter from 1.57 to 1.58
| * 1f24212 N - style(godot): change scope from default(declarations) to all
| * 809d5d1 N - chore(deps): bump golang.org/x/tools from 0.20.0 to 0.21.0
| * ba9ebc1 N - Add GitHub Typo Action
| * e73de50 N - Fix typos
| * b1b9464 N - ci(test): run test on macos and windows
| * 3ea58f4 N - docs(readme): added installation information
| * abbb991 N - chore(readme): typo license -> licence
| * 43d2880 N - chore: fix typo
| * e99ded0 N - ci(golangci): use official action
| * 64473de N - ci: add cache for test
| * 13c3470 N - chore(readme): rename action job
| * da5699c N - ci: split jobs
| * 8a78958 N - feat: add support more cases
|/
* 7da5457 N - ci(go): add tip version
* 60b3680 N - refactor(test): from slice of struct to slice of string
* 55ee7ac N - type(test): embeded -> embedded
* e89be98 N - chore(readme): add badges
* e12dda0 N - ci: update linter from 1.55.2 to 1.57.2
* 89e9983 N - (tag: v1.0.6) fix: added processing of more cases
* 8a73b10 N - chore(deps): bump actions/setup-go from 4 to 5
...

[lasiar]

@ldez, Hi!

Yes, v1.0.7 is recreating, is it problem?

About PR to v1:
The main branch will v2, and for golangci-lint 1.59.0.
I create the branch v1 for fixes bugs, for maintaining backward compatibility.

[ldez]

Yes, v1.0.7 is recreating, is it problem?

Yes it's a major problem, a tag for a module should never be recreated (verifying module: checksum mismatch).

$ docker run --rm -it golang:1.22-alpine sh
/go # go env -w GOPROXY=direct
/go # cd ..
/ # mkdir foo && cd $_
/foo # go mod init example.com/foo
go: creating new go.mod: module example.com/foo
/foo # apk add -q git
/foo # go get github.com/lasiar/[email protected]
go: downloading github.com/lasiar/canonicalheader v1.0.7
go: github.com/lasiar/[email protected]: verifying module: checksum mismatch
        downloaded: h1:fiXWB5G7EXzCfGEryAgoeYjITDxzl4kM4DBGFwfmtM8=
        sum.golang.org: h1:3xjg7XR2JVptNjOF5Xx3SZmo0Z6tbszJkBh3bng6T8U=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
/foo #  

My recommendations:

• merge v1 inside main
• create a tag v1.1.0

[ldez]

A major version (like v2) should only be created if there are breaking changes.

Your linter doesn't have a configuration, so it cannot be breaking.

[lasiar]

If I create v1.0.8, this will solve the problem?

I'm planning:
all tags v1.x.x from the v1 branch
all tags v2.x.x from the v2 branch

[ldez]

Why do you want to create a major version?

You need to create a minor version when you add new features, not a major.

[lasiar]

Add configuration: permit list for headers

[ldez]

So it's just a feature, no breaking changes here.

[ldez]

Configuration example:

canonical-header:
  useDefaultExclusion: true
  exclusions:
    - foo
    - bar

There are no breaking changes, it's just a new feature.

A breaking change can be:

• the removal of an option
• the rename of an option (technically it's a removal of an option except if there is a compatibility layer)
• a type change of an option
• a major change in the default behavior
• a breaking change of the signature of an exposed API

Adding an option is not a breaking change if the default behavior and the exposed API stay the same.

[ldez]

Maybe it's because you want to change the API, but the analyzer can have configuration without changing the public API: Analyzer.Flags

https://github.com/polyfloyd/go-errorlint/blob/e24df99426914bacaaa49d907ad524520643a1b1/errorlint/analysis.go#L11-L30

[lasiar]

I create v1.1.1 release and tag.

[lasiar]

@ldez, thanks!

[ldez]

Just for the information:
removing a tag is not enough to "remove" a module version, you should retract the version.

https://go.dev/ref/mod#go-mod-file-retract

https://pkg.go.dev/github.com/lasiar/[email protected]

Once inside the GoProxy a version cannot be removed but only retracted.

In your context, I don't think you need to do it but I just wanted to share the good practices.

[lasiar]

Thanks!

I don't work on open source before, only private repo in private instance GitLab...

[email protected] include [email protected] or [email protected]

In v1.56.1 errcheck updated from 1.6.3 to 1.7.0

[ldez]

I review every linter update and I decide based on the changes if it should be a part of the next minor or the next patch.

v1.1.1 will be in the next release patch.

golangci/golangci-lint#4715

[ldez]

I consider the problem as fixed, thank you for your reactivity ❤️