Re: [Buildroot] [PATCHv2 1/2] package/pkg-golang.mk: set GOPROXY to proxy.golang.org

["Yann E. MORIN" <yann.morin.1998@free.fr>]

Romain, All,

On 2022-01-09 16:14 +0100, Romain Naour spake thusly:
> While packaging telegraf [1] the download step failed due to a checksum
> mismatch:
> 
>     go: downloading collectd.org v0.5.0
>     get "collectd.org": found meta tag vcs.metaImport{Prefix:"collectd.org", VCS:"git", RepoRoot:"https://github.com/collectd/go-collectd"} at //collectd.org/?go-get=1
>     verifying collectd.org@v0.5.0: checksum mismatch
>         downloaded: h1:mRTLdljvxJNXPMMO9RSxf0PANDAqu/Tz+I6Dt6OjB28=
>         go.sum:     h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=
> 
>     SECURITY ERROR
>     This download does NOT match an earlier download recorded in go.sum.
>     The bits may have been replaced on the origin server, or an attacker may
>     have intercepted the download attempt.
> 
>     For more information, see 'go help module-auth'.
> 
> go-collectd was bumped in telegraf since several releases (since v1.19.0) without
> any changes regarding the go-collectd hash.
> 
> Some users reported an issue [3] when using "GOPROXY=direct" and used
> "GOPROXY=proxy.golang.org" as a workaround.

I'll put down what we discussed on IRC:

Unfortunately, there are cases the other way around: using a proxy broke
the vendoring, while a direct connection solved it. So we won't be able
to satisfy both cases.

Furthermore, relying on a proxy having a cached archive risks breaking
in the future anyway, as that archived may get eventually get evicted
out of the cache of the proxy. Or the proxy may disapear in the future,
or whatever.

In any case, a bad hash is most probably due to one of the following
issues:

  - upstream messed up when adding the dependency and incorrectly copied
    the hash (but that should not happen as adding a dependency is
    supposed to be done with go tools already),

  - the upstream of the dependency changed their release (i.e. they
    re-tagged a release)

  - the go proxy is caching an incorrect archive (e.g. a partial
    download, or an older archive, or is malicious, or whatever).

In any case, we can't do anything about it, and the upstream of the
project has to fix the mess.

So, from my point of view, this is a NACK on this patch.

Regards,
Yann E. MORIN.

> [1] https://github.com/influxdata/telegraf/
> [2] https://github.com/influxdata/telegraf/commit/d4b051edc247a13d7fbdaa49d95fe6e93505d14e
> [3] https://github.com/google/flatbuffers/issues/6466#issuecomment-781954742
> 
> Signed-off-by: Romain Naour <romain.naour@smile.fr>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/pkg-golang.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/pkg-golang.mk b/package/pkg-golang.mk
> index 35bcb1673b..e23778d96a 100644
> --- a/package/pkg-golang.mk
> +++ b/package/pkg-golang.mk
> @@ -85,7 +85,7 @@ $(2)_POST_PATCH_HOOKS += $(2)_GEN_GOMOD
>  $(2)_DOWNLOAD_POST_PROCESS = go
>  $(2)_DL_ENV = \
>  	$(HOST_GO_COMMON_ENV) \
> -	GOPROXY=direct \
> +	GOPROXY=proxy.golang.org \
>  	BR_GOMOD=$$($(2)_GOMOD)
>  
>  # Due to vendoring, it is pretty likely that not all licenses are
> -- 
> 2.31.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot