Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dependency "github.com/envoyproxy/go-control-plane" #862

Closed
Ben131-Go opened this issue Feb 5, 2023 · 2 comments
Closed

Upgrade dependency "github.com/envoyproxy/go-control-plane" #862

Ben131-Go opened this issue Feb 5, 2023 · 2 comments
Labels
stale

Comments

@Ben131-Go
Copy link

Background

Repo github.com/mosn/layotto depends on github.com/envoyproxy/go-control-plane@v0.10.0.

https://github.com/mosn/layotto/blob/main/go.mod#L11

However, comparing version v0.10.0 of github.com/envoyproxy/go-control-plane from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "GitHub",
      "email": "noreply@github.com",
      "date": "2021-11-01T15:26:26Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v0.10.0","Time":"2021-10-28T20:49:26Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.10.0 tag of github.com/envoyproxy/go-control-plane might have been retagged after a minor edition on github. I guess you use proxy.golang.org to get dependencies, but that also shows that your project is depending on the copy of github.com/envoyproxy/go-control-plane@v0.10.0 before its edition. Depending upon such inconsistent tag version may also result in some unexpected errors as well as build errors due to different proxy settings.

For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/envoyproxy/go-control-plane@v0.10.0, the following error occurs.

go: downloading github.com/envoyproxy/go-control-plane v0.10.0
go: github.com/envoyproxy/go-control-plane@v0.10.0: verifying module: checksum mismatch
        downloaded: h1:ZyeIGk3fCB8NNzihPKZsCNCc7oTz7IgMsEy0E2G3iu4=
        sum.golang.org: h1:WVt4HEPbdRbRD/PKKPbPnIVavO6gk/h673jWyIJ016k=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

So, this is a reminder in the hope that you can get rid of this problematic version of project github.com/envoyproxy/go-control-plane.

Solution

1. Bump the version of dependency github.com/envoyproxy/go-control-plane

I would recommend bumping the version of github.com/envoyproxy/go-control-plane to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References
@github-actions
Copy link

github-actions bot commented Mar 8, 2023

This issue has been automatically marked as stale because it has not had recent activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue or help wanted) or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Mar 8, 2023
@github-actions
Copy link

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue or help wanted. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ben131-Go