Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]: dependencies of 4.3.0 not buildable from source #2121

Closed
eikemeier opened this issue Oct 19, 2024 · 5 comments · Fixed by #2122
Closed

[BUG]: dependencies of 4.3.0 not buildable from source #2121

eikemeier opened this issue Oct 19, 2024 · 5 comments · Fixed by #2122
Assignees
Labels
kind/bug Something is broken.

Comments

@eikemeier
Copy link

What version of Badger are you using?

v4.3.0

What version of Go are you using?

go1.23.2

Have you tried reproducing the issue with the latest release?

Yes

What is the hardware spec (RAM, CPU, OS)?

n/a

What steps will reproduce the bug?

go mod init example.com/badger-test

Add a file main.go:

package main

import (
	"fmt"

	"github.com/dgraph-io/badger/v4"
)

func main() {
	fmt.Println(badger.ErrDBClosed)
}
go get github.com/dgraph-io/badger/v4@v4.3.0
go mod tidy
fgrep github.com/dgraph-io/badger/v4 go.sum

You'll end ups with a go.mod containing:

github.com/dgraph-io/badger/v4 v4.3.0 h1:lcsCE1/1qrRhqP+zYx6xDZb8n7U+QlwNicpc676Ub40=
github.com/dgraph-io/badger/v4 v4.3.0/go.mod h1:Sc0T595g8zqAQRDf44n+z3wG4BOqLwceaFntt8KPxUM=

Now clean the module cache and try to build from source:

go clean -modcache
env GOPRIVATE=github.com/dgraph-io/badger go run .

go: downloading github.com/dgraph-io/badger/v4 v4.3.0
verifying github.com/dgraph-io/badger/v4@v4.3.0: checksum mismatch
downloaded: h1:JZ8tapVYg+6sFQqg+BOokAxX+t09UeVPsPoXIq7jlNg=
go.sum: h1:lcsCE1/1qrRhqP+zYx6xDZb8n7U+QlwNicpc676Ub40=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

Expected behavior and actual result.

The program should be buildable from source. Affects https://github.com/dgraph-io/dgraph v24.0.4:

https://github.com/dgraph-io/dgraph/blob/v24.0.4/go.sum#L143-L144

Additional information

The tagged version depends on github.com/google/flatbuffers v24.3.25+incompatible in go.mod while the version in the sumdb depends on github.com/google/flatbuffers v1.12.1.

@eikemeier eikemeier added the kind/bug Something is broken. label Oct 19, 2024
@mangalaman93
Copy link
Contributor

I followed these exact steps and did not see the error that you mention. Am I missing something?

@eikemeier
Copy link
Author

I followed these exact steps and did not see the error that you mention. Am I missing something?

Maybe. Make sure all caches are cleaned between steps.

go clean -cache -modcache; rm go.sum
go get github.com/dgraph-io/badger/v4@v4.3.0
fgrep github.com/google/flatbuffers "$(go env GOMODCACHE)/github.com/dgraph-io/badger/v4@v4.3.0/go.mod"

should give github.com/google/flatbuffers v1.12.1, while

go clean -cache -modcache; rm go.sum
env GOPRIVATE=\* go get github.com/dgraph-io/badger/v4@v4.3.0
fgrep github.com/google/flatbuffers "$(go env GOMODCACHE)/github.com/dgraph-io/badger/v4@v4.3.0/go.mod"

should result in github.com/google/flatbuffers v24.3.25+incompatible.

@kruskall
Copy link

This is the same issue as #2113

the 4.3.0 version was "tampered" and should probably be retracted at this point. I think a tag was created and later deleted (can't do this with go versions).

github v4.3.0 tag (https://github.com/dgraph-io/badger/releases/tag/v4.3.0) points at 02d7531

go list -m -json github.com/dgraph-io/badger/v4@v4.3.0 points at 2725dc8

The diff between the two commits looks safe: 2725dc8...02d7531

@mangalaman93
Copy link
Contributor

Apologies for the confusion, working on retracting it. Thanks for filing an issue.

@eikemeier
Copy link
Author

eikemeier commented Oct 24, 2024

Apologies for the confusion, working on retracting it. Thanks for filing an issue.

No problem. I think the proper “fix” would be to move the tag to the correct commit (2725dc8) and investigate why this happened.

Retracting has the effect that everyone can not build dependent projects, like the current github.com/dgraph-io@v24.0.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something is broken.
Development

Successfully merging a pull request may close this issue.

3 participants