Upgrade 'go-swagger/go-swagger' to avoid build error.

[HappyHacker123]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

Currently oathkeeper depends on go-swagger/go-swagger@v0.30.0. But go-swagger may have retagged version v0.30.0, so the checksum from the code in github does not match the checksum saved in sum.golang.org.
So when trying to download go-swagger directly from Github, the following error will occur.

root@iZj6c5flh0q5ax3d1ttfuhZ:~/temp# GOPROXY=direct go get github.com/go-swagger/go-swagger@v0.30.0
go: downloading github.com/go-swagger/go-swagger v0.30.0
go: github.com/go-swagger/go-swagger@v0.30.0: verifying module: checksum mismatch
        downloaded: h1:USeysUi8+GLwjRR8riKERrBmISIL3bnyOnvmhSB8vrA=
        sum.golang.org: h1:HakSyutD7Ek9ndkR8Fxy6WAoQtgu7UcAmZCTa6SzawA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Reproducing the bug

Run the following command.

GOPROXY=direct go get github.com/go-swagger/go-swagger@v0.30.0

Relevant log output

No response

Relevant configuration

No response

Version

0.40.7-pre.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

github.com/go-swagger/go-swagger@v0.30.4 doesn't have such error, upgrade to v0.30.4 might be a good choice

[alnr]

Very odd. Let's see if there's any movement in this issue: go-swagger/go-swagger#3118

[HappyHacker123]

@alnr Thanks for your reply! I add some background information on the upstream issue, hope it can help.

[alnr]

The oathkeeper build seems to work with the existing version, is there even a reason to upgrade?

[HappyHacker123]

I guess you use proxy.golang.org to get dependencies. If you set GOPROXY=direct and try to download go-swagger as i mentioned before, errors will occur.

So this issue more like a reminder in the hope that you can get rid of this problematic version of go-swagger if possible. As it might be a problem for users who have to set GOPROXY=direct.

[alnr]

Ah, got it, thanks! Surely you must be curious why the version was re-tagged though? I don't have time to comb through the diffs in go-swagger since this event, so I'm hesitant to change versions now.

[HappyHacker123]

Surely you must be curious why the version was re-tagged though?

Yeah, i guess maybe a minor mistake was found, they don't want to release a new version so they retagged it :).

I don't have time to comb through the diffs in go-swagger since this event, so I'm hesitant to change versions now.

No hurry, you can come back at this whenever possible. I'm using proxy.golang.org to temporarily avoid the situation. Hope someday it will be fixed :)