Default go proxy has stale version

[alexshtin]

Problem

If I try to install latest version using default go proxy GOPROXY="https://proxy.golang.org,direct" everything works fine, but if I turn it off go gives me an error:

bash-5.1# GOPROXY=direct go get -u github.com/uber/tchannel-go
go: downloading github.com/uber/tchannel-go v1.31.0
go get github.com/uber/tchannel-go: github.com/uber/tchannel-go@v1.31.0: verifying module: checksum mismatch
        downloaded: h1:/UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8=
        sum.golang.org: h1:svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

After investigations I found out that /UFpXqSe9D346M+wTfwUj1+IjgTi5ETUOZJYGpiJPI8= checksum is corresponig to the commit tagged with v1.31.0 but svHYN3O0gtWvuU9Qw2a0Ktr8ciEdP/l/LyZoePU9wnU= belongs to d84cd5f commit which is 8 commits behind the v1.31.0. This means that everybody who gets v1.31.0 using go get -u github.com/uber/tchannel-go doesn't really gets 1.31.0 unless they turn go proxy off, but in this case checksum validation is failing.

Proposed solution

Release v1.31.1 ASAP. Even if it points to the same c373222 commit as v1.30.0.

[alexshtin]

Few helpful links:
https://sum.golang.org/lookup/github.com/uber/tchannel-go@v1.31.0
https://github.com/vikyd/go-checksum

[alexshtin]

Consider retracting 1.30.0 using retract.