Release 1.9.0 available without tag (might be compromised/hijacked)

[gaaf]

Hi,

I noticed that pkg.go.dev serves a version 1.9.0 of this package. On the github repo there's no such tag, the changelog doesn't mention a 1.9.0 version and the links on said page are dead.

I cannot determine if the served package is legitimate. Please either update the changelog and tag the appropriate commit or make sure pkg.go.dev doesn't serve an unauthorized version.

[dveeden]

Related: #906

[dveeden]

Looks like #907 is also related

[dveeden]

cc @atercattus

[atercattus]

Yes, this is my mistake. I make a new tag 1.9 without checking that main branch is working. When I realized this, I removed the tag ASAP to avoid distributing unstable main. Unfortunately, pkg.go.dev already saw the new tag...

We are thinking about these fixes here #907

[lance6716]

I have recreated v1.9.0 https://github.com/go-mysql-org/go-mysql/tags let's see if it can overwrite the old tag

[lance6716]

I think I should create v1.9.1 https://go.dev/blog/go116-module-changes

a version cannot be modified after it is published

[lance6716]

https://pkg.go.dev/github.com/go-mysql-org/go-mysql?tab=versions