Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.16 build is broken #18864

Closed
fhuberts opened this issue Feb 23, 2022 · 12 comments · Fixed by #18932
Closed

v1.16 build is broken #18864

fhuberts opened this issue Feb 23, 2022 · 12 comments · Fixed by #18932
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail

Comments

@fhuberts
Copy link

Gitea Version

039eb66

Git Version

039eb66

Operating System

Fedora Linux

How are you running Gitea?

not relevant

Database

No response

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

When building gitea I get a checksum error.
The component was updated in commit 039eb66

...
go: downloading github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
go: downloading github.com/klauspost/cpuid v1.3.1
go: downloading github.com/mattn/go-isatty v0.0.13
verifying github.com/niklasfasching/go-org@v1.6.0: checksum mismatch
downloaded: h1:CRDpKE90NuksNOWe7qjq1JHh7yonOht8f7rzAJQSDhc=
go.sum: h1:NCWpmDDNjHNsrei6VmnYXzOiyZUxV8LVU19REGQ8dKA=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:589: generate] Error 1

Screenshots

No response
@fhuberts
Copy link
Author

I'm building on Fedora 35 x64, go version: golang-1.16.14-1.fc35.x86_64

@fhuberts
Copy link
Author

Reverting that commit makes the build work again

@zeripath
Copy link
Contributor

zeripath commented Feb 23, 2022
edited

Have you ran:

make vendor

@zeripath zeripath added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Feb 23, 2022
@fhuberts
Copy link
Author

No I haven't.
The doc page about building from source doesn't mention it and it was never needed before.

@fhuberts
Copy link
Author

Have tried it and I get the same error

...
go: downloading github.com/syndtr/goleveldb v1.0.0
go: downloading github.com/ethantkoenig/rupture v1.0.0
go: downloading github.com/olivere/elastic/v7 v7.0.25
verifying github.com/niklasfasching/go-org@v1.6.0: checksum mismatch
	downloaded: h1:CRDpKE90NuksNOWe7qjq1JHh7yonOht8f7rzAJQSDhc=
	go.sum:     h1:NCWpmDDNjHNsrei6VmnYXzOiyZUxV8LVU19REGQ8dKA=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:373: vendor] Error 1

@42wim
Copy link
Member

42wim commented Feb 24, 2022
edited

Same issue on my build, when building release 1.6.2

There is an issue with the module on proxy.golang.org and the one directly on github, the v1.6.0 tag has probably changed (force pushed) on github

Try docker build . --build-arg GOPROXY=http://proxy.golang.org and the build will work

(or export GOPROXY=http://proxy.golang.org when not building using the Dockerfile)

@fhuberts
Copy link
Author

Same issue on my build, when building release 1.6.2

There is an issue with the module on proxy.golang.org and the one directly on github, the v1.6.0 tag has probably changed (force pushed) on github

Then the build should be fixed by gitea people. Leaving an inconsistency like this in the build is asking for problems.
More so because the source of the inconsistency is unknown at this time.
The module, or the proxy, might even be compromised...

Might be a good idea to reach out to the developer of the module and the proxy people...

Try docker build . --build-arg GOPROXY=http://proxy.golang.org and the build will work

(or export GOPROXY=http://proxy.golang.org when not building using the Dockerfile)

I'm not really inclined to do this. It's a bit asking builders to jump through hoops to make it work.

@42wim
Copy link
Member

42wim commented Feb 24, 2022

btw you can do curl -o v1.6.0.zip https://proxy.golang.org/github.com/niklasfasching/go-org/@v/v1.6.0.zip to get the module the proxy has compared with what the github one has. If you want to check about the compromise.

Then the build should be fixed by gitea people.

Not something the gitea people really can fix, seems like upstream changed tags after releasing the module.
The github.com/niklasfasching/go-org repo should retag

I'm not really inclined to do this. It's a bit asking builders to jump through hoops to make it work.

Well, the default is actually using the proxy and the gitea docker build itself also uses a proxy: see https://drone.gitea.io/go-gitea/gitea/51582/6/3 /usr/local/bin/docker build --rm=true -f Dockerfile -t 8ebf0e68ec2899584cef9cf0674a2c4650c00823 . --pull=true --build-arg GOPROXY=https://goproxy.cn

@fhuberts
Copy link
Author

Ok clear. I'll consider adding that to my build.
Maybe this should then also be documented on the 'building from source' page?

tnx

@fhuberts fhuberts mentioned this issue Feb 24, 2022
Closed
@fhuberts
Copy link
Author

I've filed issue niklasfasching/go-org#72 to notify the developer of the inconsistency

@fhuberts
Copy link
Author

The developer has tagged a new version.
You can use that to get rid of the inconsistency.

Gusted added a commit to Gusted/gitea that referenced this issue Feb 27, 2022
@Gusted
Update go-org to v1.6.1
d6a2e5c 
- v1.6.0 has a inconsistency with the proxy and github's tagged version,
updating to v1.6.1 should fix this issue.
- Resolves go-gitea#18864
@Gusted Gusted mentioned this issue Feb 27, 2022
Merged
zeripath pushed a commit that referenced this issue Feb 27, 2022
@Gusted
Update go-org to v1.6.1 (#18932)
79c7219 
- v1.6.0 has a inconsistency with the proxy and github's tagged version,
updating to v1.6.1 should fix this issue.
- Resolves #18864
@fhuberts
Copy link
Author

tnx

Chianina pushed a commit to Chianina/gitea that referenced this issue Mar 28, 2022
@Gusted
Update go-org to v1.6.1 (go-gitea#18932)
8748272 
- v1.6.0 has a inconsistency with the proxy and github's tagged version,
updating to v1.6.1 should fix this issue.
- Resolves go-gitea#18864
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update go-org to v1.6.1 Gusted/gitea
3 participants
@fhuberts @42wim @zeripath