Resync after provider release re-created

[zliang-akamai]

Hi OpenTofu team, I am a developer of Linode TF Provider.

HashiCorp's Terraform registry had an issue to publish our provider so we did a re-release for our provider (delete GitHub release then recreate). After that we received a report about the mismatched checksum issue with OpenTofu:

tofu init

Initializing the backend...

Initializing provider plugins...
- Finding linode/linode versions matching "2.21.1"...
- Installing linode/linode v2.21.1...
╷
│ Error: Failed to install provider
│ 
│ Error while installing linode/linode v2.21.1: checksum list has unexpected SHA-256 hash 85e14f144c458f976356fb92aaae3bfa47886d7f7d27922d7a84622792a38f72 (expected 4b60ed25e3802c694d922c67f0eb961f4bf070de7c1a20dd348db3976474e96a)
╵

I wonder if there is anyway we can force re-sync between the new GitHub release and OpenTofu's registry.

And it would be very nice if there is a portal we can use to manage our provider on OpenTofu registry. Curious about if there is any plan for it.

Thank you so much!

[ghost]

Hi @zliang-akamai generally, we like to treat providers as immutable to avoid supply chain attacks similar to other registry systems. Occasionally we make exceptions and manually remove provider versions if needed, but this should really be an exception rather than a rule. Would you like us to remove version 2.21.0 of the Linode provider so it gets resynced? If so, please make your membership in the Linode organization public so we can verify the autenticity of the request.

Regarding the portal, we have chosen the path of doing the registry fully based on Git because that way we don't need to request access to people's GitHub accounts, which makes adoption much easier. If this is something we should change, please open a separate issue so we can gather community feedback on the need for it.

[zliang-akamai]

Hi @janosdebugs, I just made my membership public.

Note that 2.21.1 was the problematic one and 2.21.0 is fine.

We just recreated an empty 2.21.2 release to fix the issue. But if we could also get 2.21.1 re-synced, it would be perfect.

[ghost]

Thank you @zliang-akamai, membership verified, I'll file a PR shortly that removes version 2.21.1.

[ghost]

@zliang-akamai the fix is merged, the sync job runs every 15 minutes so it should be sorted out shortly.

[ghost]

@zliang-akamai the changes should be rolled out with the new SHAs now. Please let us know if things are working for you now. (Also, if you are able to, could you please submit your provider signing key here?)