Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dependency "github.com/opensearch-project/opensearch-go" #20

Open
Ben131-Go opened this issue Jan 30, 2023 · 3 comments
Open

Upgrade dependency "github.com/opensearch-project/opensearch-go" #20

Ben131-Go opened this issue Jan 30, 2023 · 3 comments
Labels
to-prioritize

Comments

@Ben131-Go
Copy link

Background

Repo github.com/Isan-Rivkin/surf depends on github.com/opensearch-project/[email protected].

https://github.com/Isan-Rivkin/surf/blob/main/go.mod#L24

However, comparing version v2.0.0 of github.com/opensearch-project/opensearch-go from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "Vacha Shah",
      "email": "[email protected]",
      "date": "2022-06-16T17:52:10Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v2.0.0","Time":"2022-06-15T17:15:04Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v2.0.0 tag of github.com/opensearch-project/opensearch-go might have been retagged after a minor edition on github. Depending upon such inconsistent tag version may result in some unexpected errors as well as build errors due to different proxy settings.

For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/opensearch-project/[email protected], the following errors occur.

go: downloading github.com/opensearch-project/opensearch-go/v2 v2.0.0
go: github.com/opensearch-project/opensearch-go/v2@v2.0.0: verifying module: checksum mismatch
        downloaded: h1:iG0+zWWfNQwxUEBcTLEdT3RmVmJohnuT3TJhOSvQI/s=
        sum.golang.org: h1:Ij3CpuHwey29cYPVMgi5h1pWBH2O0JaTXsa4c7pqhK4=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

So, this is a reminder in the hope that you can get rid of this unreliable version of project github.com/opensearch-project/opensearch-go.

Solution

1. Bump the version of dependency github.com/opensearch-project/opensearch-go

I would recommend bumping the version of github.com/opensearch-project/opensearch-go to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References
@Isan-Rivkin
Copy link
Owner

Hi @Ben131-Go and thank you for the very informative and clear issue 👍
I will do my best to prioritize it, (see to-prioritize label), once that label removed it means theres active work on it.
I will update here with PR.
In the mean time is this a blocker for you?
If so, please feel free to open a PR with a fix.

@Ben131-Go
Copy link
Author

Thanks for your quick reply! This is not a blocker for me at the moment. This issue is just a small kind reminder.

@Isan-Rivkin
Copy link
Owner

@Ben131-Go Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to-prioritize
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Isan-Rivkin @Ben131-Go