tiup icon indicating copy to clipboard operation
tiup copied to clipboard

Published 20 hours ago verified publisher icon pingcap

Upgrade dependency "github.com/prometheus/prom2json"

Open Ben131-Go opened this issue 2 years ago • 2 comments

Background

Repo github.com/pingcap/tiup depends on github.com/prometheus/[email protected].
https://github.com/pingcap/tiup/blob/master/go.mod#L43
However, comparing version v1.3.1 of github.com/prometheus/prom2json from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "beorn7",
      "email": "[email protected]",
      "date": "2022-04-19T20:18:52Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v1.3.1","Time":"2022-04-19T16:24:19Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v1.3.1 tag of github.com/prometheus/prom2json might have been retagged after a minor edition on github. I guess you use proxy.golang.org to get dependencies, but that also shows that your project is depending on the copy of github.com/prometheus/[email protected] before its edition. Depending upon such inconsistent tag version may also result in some unexpected errors as well as build errors due to different proxy settings.
For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/prometheus/[email protected], the following error occurs.

go: downloading github.com/prometheus/prom2json v1.3.1
go: github.com/prometheus/[email protected]: verifying module: checksum mismatch
        downloaded: h1:7+kNt7FSQFjppCuTlgg4/QVMIo6vS4oqByCvb4ePuXc=
        sum.golang.org: h1:OogL5hsrJpLPz3jZ4LPz4sJRTtADzViCNRQoqrzUQvk=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

So, this is a reminder in the hope that you can get rid of this problematic version of project github.com/prometheus/prom2json.

Solution

1. Bump the version of dependency github.com/prometheus/prom2json

I would recommend bumping the version of github.com/prometheus/prom2json to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References

Ben131-Go avatar Feb 04 '23 07:02 Ben131-Go

Thanks for the report! We indeed upgrade our depends via common Go proxies, and usually don't touch them regularly until next minor release is due to publish.

I'll check this out later.

AstroProfundis avatar Feb 06 '23 03:02 AstroProfundis

Done in #2154

AstroProfundis avatar Sep 13 '23 12:09 AstroProfundis