Add -verify-storage to purge checksum-mismatched modules from storage (#2145)#2146
Merged
Conversation
Compares each stored module zip's h1: hash to the canonical hash from the configured checksum database. Includes the sumdb lookup oracle, the Poisoned predicate, and the Sweep driver that skips private (NoSumPatterns) modules before any lookup and only flags provable mismatches.
Runs the checksum sweep as a one-shot process and exits without starting the server. -verify-storage reports mismatches; -verify-storage -purge deletes them. -purge without -verify-storage is a usage error.
- gosec G104: explicitly ignore f.Close() in hashZipReader's error path - contextcheck: RunVerify is a one-shot CLI root, so it builds its own context instead of taking an inherited one that GetStorage can't thread
nrwiersma
approved these changes
Jul 17, 2026
matt0x6F
enabled auto-merge (squash)
July 18, 2026 03:13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the problem I am trying to address?
Athens builds module zips on a cache miss and stores them, then serves the stored copy on every hit after that. So when it builds a zip wrong, the bad copy is stuck — bumping the toolchain doesn't help, because a cache hit never rebuilds. #2145 is a concrete case: Athens releases on Go 1.20.x strip files under nested
vendor/directories (the x/mod/zip bug fixed in Go 1.24), so the stored zip doesn't match sum.golang.org and clients get checksum errors.How is the fix applied?
This adds a maintenance command to find those zips and evict them so they refetch cleanly:
It's a separate one-shot process that exits without starting the server (same shape as
-version), so you run it as a Job ordocker runagainst the same storage the proxy uses.Decisions I'd like eyes on:
NoSumPatterns, before any lookup, so we never send a private module path to sum.golang.org.Docs page added at
docs/content/configuration/verify-storage.mdwith an "am I affected?" rundown — short answer, only if you ran ≤ v0.15.1 (Go 1.20.x) into 2025+ and proxied publicgo >= 1.24modules with a nested vendor dir.Tested with unit tests for the lookup, the hash comparison, and the sweep (report/purge/skip/not-in-DB) over an in-memory backend. I also reproduced the bug directly: go1.20.14 vs go1.25 building
ginkgo/v2@v2.32.0produce exactly the two hashes from the issue, differing by the single stripped vendor file.Left out on purpose (possible follow-ups): verifying private modules (no authoritative source for their hashes) and an automatic self-heal on the request path.
What GitHub issue(s) does this PR fix or close?
Fixes #2145