I did read the FAQ and did clean (--all all) and try again, only to fail again. Only after the selfupdate did it work. I guess I'm not motivated enough to try against the bad version manually at this time.
I am not worried about trufflehog working with any specific go version. Of course once it's built it doesn't matter what version of go I have installed. And I'm not worried about using a non-latest version of trufflehog. I do in fact want the latest, I just neglected to selfupdate first. But I figured even without selfupdate, the install of the older version _should have worked_. I thought it was worth reporting. What I'm most worried about is that `port install trufflehog` blindly updated my installed go without asking or telling me first. Generally speaking, when I update package X, I believe port is generally good at telling me it also needs to upgrade Y and Z before blindly proceeding to do more than I explicitly asked it to do. But I suspect that because trufflehog is built locally from source, it needed to upgrade a *build* dependency and for that it didn't bother to confirm first. thanks On Wed, Aug 2, 2023 at 6:21 AM Dave Allured - NOAA Affiliate < dave.allu...@noaa.gov> wrote: > Please read about checksum failures and when to build from source, in the > Macports FAQ. I would guess that you experienced either an intermittent > server outage, or a stealth update. You can self diagnose this by trying a > manual download with curl. Examine the result file. > > Macports is designed to keep users in sync with the latest versions. > Please read about how to use older port versions in the HOWTO section. In > general, using a down level version is not recommended, especially for a > security tool. But it is possible. > > I would not worry about the golang update. Either version of trufflehog > will probably work just fine with either version of golang. > > > On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users < > macports-users@lists.macports.org> wrote: > >> excuse the long copy paste at the end, but this way you can see exactly >> what happened. >> >> `sudo port install trufflehog` failed with source checksum failures. i >> don't know if the checksums were actually bad or if this is an anomaly when >> fetching the non-latest version. it does mean that i can never install that >> version of trufflehog, which is sad. >> >> anyway i got a hint to update first, so than after `selfupdate` (only! no >> port upgrades!) and another `sudo port install trufflehog` it worked. >> >> BUT it updated my golang!! this reminds me of brew. :( :~( >> >> I guess trufflehog is built from source? and it is hard coded to require >> go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) >> packages at least not without the Y/n prompt like on other implicit >> upgrades. >> >> I then discovered I merely had to activate the older version. OK, but the >> install/build process should have done this at the end, since I didn't >> request that upgrade. >> >> 1. did the failed version (3.45.3) of trufflehog actually have some error >> with checksum? or is this a macports anomaly. >> 2. do you agree macports has a bug re: forced, non-prompted, build deps >> upgrades? >> >> thanks >> >> [frank@mbp:~]$ sudo port install trufflehog >> Password: >> ---> Computing dependencies for trufflehog >> ---> Fetching archive for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://packages.macports.org/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> http://mirror.fcix.net/macports/packages/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog >> ---> Fetching distfiles for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://distfiles.macports.org/go >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 >> ---> Verifying checksums for trufflehog >> Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz >> Error: Failed to checksum trufflehog: Unable to verify file checksums >> Error: See >> /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log >> for details. >> Error: Follow https://guide.macports.org/#project.tickets if you believe >> there is a bug. >> Error: Processing of port trufflehog failed >> [frank@mbp:~]$ sudo port selfupdate >> ---> Updating MacPorts base sources using rsync >> MacPorts base version 2.8.1 installed, >> MacPorts base version 2.8.1 downloaded. >> ---> Updating the ports tree >> ---> MacPorts base is already the latest version >> >> The ports tree has been updated. To upgrade your installed ports, you >> should run >> port upgrade outdated >> [frank@mbp:~]$ sudo port install trufflehog >> Portfile changed since last build; discarding previous state. >> ---> Fetching archive for go >> ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from >> https://packages.macports.org/go >> ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from >> http://mirror.fcix.net/macports/packages/go >> ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from >> https://ywg.ca.packages.macports.org/mirror/macports/packages/go >> ---> Fetching distfiles for go >> ---> Attempting to fetch go1.20.7.src.tar.gz from >> https://distfiles.macports.org/go >> ---> Attempting to fetch go1.20.7.darwin-amd64.tar.gz from >> https://distfiles.macports.org/go >> ---> Verifying checksums for go >> ---> Extracting go >> ---> Configuring go >> ---> Building go >> ---> Staging go into destroot >> ---> Installing go @1.20.7_0 >> ---> Cleaning go >> ---> Deactivating go @1.20.6_0 >> ---> Cleaning go >> ---> Activating go @1.20.7_0 >> ---> Cleaning go >> ---> Computing dependencies for trufflehog >> ---> Fetching archive for trufflehog >> ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from >> https://packages.macports.org/trufflehog >> ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from >> http://mirror.fcix.net/macports/packages/trufflehog >> ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from >> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog >> ---> Fetching distfiles for trufflehog >> ---> Attempting to fetch trufflehog-3.46.2.tar.gz from >> https://distfiles.macports.org/go >> ---> Verifying checksums for trufflehog >> ---> Extracting trufflehog >> ---> Configuring trufflehog >> ---> Building trufflehog >> ---> Staging trufflehog into destroot >> ---> Installing trufflehog @3.46.2_0 >> ---> Activating trufflehog @3.46.2_0 >> ---> Cleaning trufflehog >> ---> Scanning binaries for linking errors >> ---> No broken files found. >> ---> No broken ports found. >> [frank@mbp:~]$ go version >> go version go1.20.7 darwin/amd64 >> [frank@mbp:~]$ sudo port activate go @1.20.6_0 >> ---> Deactivating go @1.20.7_0 >> ---> Cleaning go >> ---> Activating go @1.20.6_0 >> ---> Cleaning go >> [frank@mbp:~]$ >> >