search

radondb / radondb-mysql-kubernetes

Open Source,High Availability Cluster,based on MySQL
Apache License 2.0
351 stars 82 forks source link

Upgrade dependency "github.com/agiledragon/gomonkey" #758

Closed Ben131-Go closed 10 months ago

Ben131-Go commented 1 year ago

Background

Repo github.com/radondb/radondb-mysql-kubernetes depends on github.com/agiledragon/gomonkey/v2@v2.2.0.
https://github.com/radondb/radondb-mysql-kubernetes/blob/main/go.mod#L6
However, comparing version v2.2.0 of github.com/agiledragon/gomonkey from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
"name": "agiledragon",
"email": "zhangxiaolong1980@126.com",
"date": "2021-08-16T15:49:31Z"
}

commit time of the copy on proxy.golang.org

{"Version":"v2.2.0","Time":"2021-08-13T12:46:58Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v2.2.0 tag of github.com/agiledragon/gomonkey might have been retagged after a minor edition on github. I guess you use proxy.golang.org to get dependencies, but that also shows that your project is depending on the copy of github.com/agiledragon/gomonkey@v2.2.0 before its edition. Depending upon such inconsistent tag version may also result in some unexpected errors as well as build errors due to different proxy settings.
For example, when someone who does not use proxy.golang.org, say GOPROXY=direct, attempts to get github.com/agiledragon/gomonkey/v2@v2.2.0, the following error occurs.


go: downloading github.com/agiledragon/gomonkey/v2 v2.2.0
go: github.com/agiledragon/gomonkey/v2@v2.2.0: verifying module: checksum mismatch
downloaded: h1:SXUF5UN7ZH67ORjFK+e1FoFRZczCSVUvwTywNY2+fcg=
sum.golang.org: h1:QJWqpdEhGV/JJy70sZ/LDnhbSlMrqHAWHcNOjz1kyuI=

SECURITY ERROR This download does NOT match the one reported by the checksum server. The bits may have been replaced on the origin server, or an attacker may have intercepted the download attempt.

For more information, see 'go help module-auth'.


So, this is a reminder in the hope that you can get rid of this problematic version of project `github.com/agiledragon/gomonkey`.
## Solution
### 1. Bump the version of dependency `github.com/agiledragon/gomonkey`
I would recommend bumping the version of `github.com/agiledragon/gomonkey` to a new release to ensure dependency copy in proxy.golang.org and github in sync.

## References
+ <https://proxy.golang.org/>
github-actions[bot] commented 1 year ago

Hi! thanks for your contribution! great first issue!

zhl003 commented 1 year ago

Thank you for your patient explanation. We have noticed this problem, but due to the network environment we work in, we have to use proxy. We will consider your suggestion after evaluation. Thanks again, if you encounter any problems during compilation or use For other questions, you can contact us in personal email or issue

Ben131-Go commented 1 year ago

OK, everything works fine when setting GOPROXY=proxy.golang.org, direct