Re: trufflehog checksum fail
On Aug 1, 2023, at 22:37, Frank Cusackwrote: > > 1. did the failed version (3.45.3) of trufflehog actually have some error > with checksum? or is this a macports anomaly. A mistake was made when upgrading trufflehog to 3.45.3 on July 28: the maintainer forgot to update the checksums: https://github.com/macports/macports-ports/commit/f18fffa5a99710f3699513f71acb92fe8bdca77d Therefore, nobody could install this version; everybody received a checksum mismatch. The problem was resolved when the maintainer updated the port to 3.46.2 on August 1: https://github.com/macports/macports-ports/commit/91151652aa71bf6bb55efe75129e3b9b508530f6 > 2. do you agree macports has a bug re: forced, non-prompted, build deps > upgrades? If you ask MacPorts to install or upgrade a port, it must upgrade your dependencies first, so this is intentional. You can run into problems if you upgrade some but not all ports. Therefore we recommend users always use "sudo port upgrade outdated" and not try to upgrade ports individually (unless that is then followed up quite quickly with upgrading any remaining outdated ports).
Re: trufflehog checksum fail
I did read the FAQ and did clean (--all all) and try again, only to fail again. Only after the selfupdate did it work. I guess I'm not motivated enough to try against the bad version manually at this time. I am not worried about trufflehog working with any specific go version. Of course once it's built it doesn't matter what version of go I have installed. And I'm not worried about using a non-latest version of trufflehog. I do in fact want the latest, I just neglected to selfupdate first. But I figured even without selfupdate, the install of the older version _should have worked_. I thought it was worth reporting. What I'm most worried about is that `port install trufflehog` blindly updated my installed go without asking or telling me first. Generally speaking, when I update package X, I believe port is generally good at telling me it also needs to upgrade Y and Z before blindly proceeding to do more than I explicitly asked it to do. But I suspect that because trufflehog is built locally from source, it needed to upgrade a *build* dependency and for that it didn't bother to confirm first. thanks On Wed, Aug 2, 2023 at 6:21 AM Dave Allured - NOAA Affiliate < dave.allu...@noaa.gov> wrote: > Please read about checksum failures and when to build from source, in the > Macports FAQ. I would guess that you experienced either an intermittent > server outage, or a stealth update. You can self diagnose this by trying a > manual download with curl. Examine the result file. > > Macports is designed to keep users in sync with the latest versions. > Please read about how to use older port versions in the HOWTO section. In > general, using a down level version is not recommended, especially for a > security tool. But it is possible. > > I would not worry about the golang update. Either version of trufflehog > will probably work just fine with either version of golang. > > > On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users < > macports-users@lists.macports.org> wrote: > >> excuse the long copy paste at the end, but this way you can see exactly >> what happened. >> >> `sudo port install trufflehog` failed with source checksum failures. i >> don't know if the checksums were actually bad or if this is an anomaly when >> fetching the non-latest version. it does mean that i can never install that >> version of trufflehog, which is sad. >> >> anyway i got a hint to update first, so than after `selfupdate` (only! no >> port upgrades!) and another `sudo port install trufflehog` it worked. >> >> BUT it updated my golang!! this reminds me of brew. :( :~( >> >> I guess trufflehog is built from source? and it is hard coded to require >> go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) >> packages at least not without the Y/n prompt like on other implicit >> upgrades. >> >> I then discovered I merely had to activate the older version. OK, but the >> install/build process should have done this at the end, since I didn't >> request that upgrade. >> >> 1. did the failed version (3.45.3) of trufflehog actually have some error >> with checksum? or is this a macports anomaly. >> 2. do you agree macports has a bug re: forced, non-prompted, build deps >> upgrades? >> >> thanks >> >> [frank@mbp:~]$ sudo port install trufflehog >> Password: >> ---> Computing dependencies for trufflehog >> ---> Fetching archive for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://packages.macports.org/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> http://mirror.fcix.net/macports/packages/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog >> ---> Fetching distfiles for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://distfiles.macports.org/go >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 >> ---> Verifying checksums for trufflehog >> Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz >> Error: Failed to checksum trufflehog: Unable to verify file checksums >> Error: See >> /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log >> for details. >> Error: Follow https://guide.macports.org/#project.tickets if you believe >> there is a bug. >> Error: Processing of port trufflehog failed >> [frank@mbp:~]$ sudo port selfupdate >> ---> Updating MacPorts base sources using rsync >> MacPorts base version 2.8.1 installed, >> MacPorts base version 2.8.1 downloaded. >> ---> Updating the ports tree >> ---> MacPorts base is already the latest version >> >> The ports tree has
Re: trufflehog checksum fail
Please read about checksum failures and when to build from source, in the Macports FAQ. I would guess that you experienced either an intermittent server outage, or a stealth update. You can self diagnose this by trying a manual download with curl. Examine the result file. Macports is designed to keep users in sync with the latest versions. Please read about how to use older port versions in the HOWTO section. In general, using a down level version is not recommended, especially for a security tool. But it is possible. I would not worry about the golang update. Either version of trufflehog will probably work just fine with either version of golang. On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users < macports-users@lists.macports.org> wrote: > excuse the long copy paste at the end, but this way you can see exactly > what happened. > > `sudo port install trufflehog` failed with source checksum failures. i > don't know if the checksums were actually bad or if this is an anomaly when > fetching the non-latest version. it does mean that i can never install that > version of trufflehog, which is sad. > > anyway i got a hint to update first, so than after `selfupdate` (only! no > port upgrades!) and another `sudo port install trufflehog` it worked. > > BUT it updated my golang!! this reminds me of brew. :( :~( > > I guess trufflehog is built from source? and it is hard coded to require > go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) > packages at least not without the Y/n prompt like on other implicit > upgrades. > > I then discovered I merely had to activate the older version. OK, but the > install/build process should have done this at the end, since I didn't > request that upgrade. > > 1. did the failed version (3.45.3) of trufflehog actually have some error > with checksum? or is this a macports anomaly. > 2. do you agree macports has a bug re: forced, non-prompted, build deps > upgrades? > > thanks > > [frank@mbp:~]$ sudo port install trufflehog > Password: > ---> Computing dependencies for trufflehog > ---> Fetching archive for trufflehog > ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from > https://packages.macports.org/trufflehog > ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from > http://mirror.fcix.net/macports/packages/trufflehog > ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from > https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog > ---> Fetching distfiles for trufflehog > ---> Attempting to fetch trufflehog-3.45.3.tar.gz from > https://distfiles.macports.org/go > ---> Attempting to fetch trufflehog-3.45.3.tar.gz from > https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 > ---> Verifying checksums for trufflehog > Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz > Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz > Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz > Error: Failed to checksum trufflehog: Unable to verify file checksums > Error: See > /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log > for details. > Error: Follow https://guide.macports.org/#project.tickets if you believe > there is a bug. > Error: Processing of port trufflehog failed > [frank@mbp:~]$ sudo port selfupdate > ---> Updating MacPorts base sources using rsync > MacPorts base version 2.8.1 installed, > MacPorts base version 2.8.1 downloaded. > ---> Updating the ports tree > ---> MacPorts base is already the latest version > > The ports tree has been updated. To upgrade your installed ports, you > should run > port upgrade outdated > [frank@mbp:~]$ sudo port install trufflehog > Portfile changed since last build; discarding previous state. > ---> Fetching archive for go > ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from > https://packages.macports.org/go > ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from > http://mirror.fcix.net/macports/packages/go > ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from > https://ywg.ca.packages.macports.org/mirror/macports/packages/go > ---> Fetching distfiles for go > ---> Attempting to fetch go1.20.7.src.tar.gz from > https://distfiles.macports.org/go > ---> Attempting to fetch go1.20.7.darwin-amd64.tar.gz from > https://distfiles.macports.org/go > ---> Verifying checksums for go > ---> Extracting go > ---> Configuring go > ---> Building go > ---> Staging go into destroot > ---> Installing go @1.20.7_0 > ---> Cleaning go > ---> Deactivating go @1.20.6_0 > ---> Cleaning go > ---> Activating go @1.20.7_0 > ---> Cleaning go > ---> Computing dependencies for trufflehog > ---> Fetching archive for trufflehog > ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from > https://packages.macports.org/trufflehog > --->
trufflehog checksum fail
excuse the long copy paste at the end, but this way you can see exactly what happened. `sudo port install trufflehog` failed with source checksum failures. i don't know if the checksums were actually bad or if this is an anomaly when fetching the non-latest version. it does mean that i can never install that version of trufflehog, which is sad. anyway i got a hint to update first, so than after `selfupdate` (only! no port upgrades!) and another `sudo port install trufflehog` it worked. BUT it updated my golang!! this reminds me of brew. :( :~( I guess trufflehog is built from source? and it is hard coded to require go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) packages at least not without the Y/n prompt like on other implicit upgrades. I then discovered I merely had to activate the older version. OK, but the install/build process should have done this at the end, since I didn't request that upgrade. 1. did the failed version (3.45.3) of trufflehog actually have some error with checksum? or is this a macports anomaly. 2. do you agree macports has a bug re: forced, non-prompted, build deps upgrades? thanks [frank@mbp:~]$ sudo port install trufflehog Password: ---> Computing dependencies for trufflehog ---> Fetching archive for trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog ---> Fetching distfiles for trufflehog ---> Attempting to fetch trufflehog-3.45.3.tar.gz from https://distfiles.macports.org/go ---> Attempting to fetch trufflehog-3.45.3.tar.gz from https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 ---> Verifying checksums for trufflehog Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz Error: Failed to checksum trufflehog: Unable to verify file checksums Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log for details. Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug. Error: Processing of port trufflehog failed [frank@mbp:~]$ sudo port selfupdate ---> Updating MacPorts base sources using rsync MacPorts base version 2.8.1 installed, MacPorts base version 2.8.1 downloaded. ---> Updating the ports tree ---> MacPorts base is already the latest version The ports tree has been updated. To upgrade your installed ports, you should run port upgrade outdated [frank@mbp:~]$ sudo port install trufflehog Portfile changed since last build; discarding previous state. ---> Fetching archive for go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/go ---> Fetching distfiles for go ---> Attempting to fetch go1.20.7.src.tar.gz from https://distfiles.macports.org/go ---> Attempting to fetch go1.20.7.darwin-amd64.tar.gz from https://distfiles.macports.org/go ---> Verifying checksums for go ---> Extracting go ---> Configuring go ---> Building go ---> Staging go into destroot ---> Installing go @1.20.7_0 ---> Cleaning go ---> Deactivating go @1.20.6_0 ---> Cleaning go ---> Activating go @1.20.7_0 ---> Cleaning go ---> Computing dependencies for trufflehog ---> Fetching archive for trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog ---> Fetching distfiles for trufflehog ---> Attempting to fetch trufflehog-3.46.2.tar.gz from https://distfiles.macports.org/go ---> Verifying checksums for trufflehog ---> Extracting trufflehog ---> Configuring trufflehog ---> Building trufflehog ---> Staging trufflehog into destroot ---> Installing trufflehog @3.46.2_0 ---> Activating trufflehog @3.46.2_0 ---> Cleaning trufflehog ---> Scanning binaries for linking errors ---> No broken files found. ---> No broken ports found. [frank@mbp:~]$ go version go version go1.20.7 darwin/amd64 [frank@mbp:~]$ sudo port activate go @1.20.6_0 ---> Deactivating go @1.20.7_0 ---> Cleaning go ---> Activating go @1.20.6_0 --->
