GOPROXY=direct provide a corrupted version of collectd.org v0.5.0

[RomainNaour]

Hello,

When building telegraf from sources, the download of all vendor modules (cargo vendor) fail when using GOPROXY=direct.

go: downloading collectd.org v0.5.0
get "collectd.org": found meta tag vcs.metaImport{Prefix:"collectd.org", VCS:"git", RepoRoot:"https://github.com/collectd/go-collectd"} at //collectd.org/?go-get=1
verifying collectd.org at v0.5.0: checksum mismatch
    downloaded: h1:mRTLdljvxJNXPMMO9RSxf0PANDAqu/Tz+I6Dt6OjB28=
    go.sum:     h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Some users reported an similar issue [1] and used "GOPROXY=proxy.golang.org" as a workaround.

Can you fix this problem ?

To build Telefraf from sources using Buildroot or Yocto tools, we need a reliable method to fetch all required sources.

[1] google/flatbuffers#6466 (comment)
[2] http://lists.busybox.net/pipermail/buildroot/2022-January/633295.html

[powersj]

I can reproduce this with:

main.go

package main

import _ "collectd.org/api"

func main() {
}

go.mod:

module test

go 1.17

require collectd.org v0.5.0

go.sum:

collectd.org v0.5.0 h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=
collectd.org v0.5.0/go.mod h1:A/8DzQBkF6abtvrT2j/AU/4tiBgJWYyh0y/oB/4MlWE=

then run:

~/Documents/test via 🐹 v1.17.3 
❯ go clean -modcache
~/Documents/test via 🐹 v1.17.3 took 10s 
❯ GOPROXY=direct go mod tidy
go: downloading collectd.org v0.5.0
verifying collectd.org@v0.5.0: checksum mismatch
	downloaded: h1:mRTLdljvxJNXPMMO9RSxf0PANDAqu/Tz+I6Dt6OjB28=
	go.sum:     h1:y4uFSAuOmeVhG3GCRa3/oH+ysePfO/+eGJNfd0Qa3d8=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

The hashes in Telegraf have not changed in 10 months, they were originally added by dependobot. My test program above seems to use the same hashes.

The project itself does not appear to have re-tagged or done a new release, unless there were some issues during the release and they retagged and the proxy has the old hashes?

This makes me believe it is the third option, and something is up with the mirror. That doesn't seem like something we, telegraf, can fix. There are no newer releases either, so I'm really not sure what else we could do.

If anything a bug report against go-collectd seems like a better course of action for a new tag/release and we can use the new version? Thoughts?

[RomainNaour]

Hello Joshua,

Thank you for your feedback!

May I ask you if you can report the issue to the GO community or the people in charge of GO proxy?

I'm not sure what happened with go-collectd 0.5.0 release, if it was released twice. But go-collected was released the 2020-06-05 and added to Telegraf the 2021-03-24. The issues should have been detected by the dependobot?

There is no much activities on go-collectd project since the release. Still, I'll open an issue on their side.

Best regards,
Romain

[powersj]

I've filed collectd/go-collectd#94 to track this with the upstream

[wangzhenfei-x]

replace collectd.org as github.com/collectd/go-collectd

[powersj]

I have tried getting an update on the upstream bug, but still do not see any updates. I am going to close this issue as there is not a current thing for us to do.