trufflehog checksum fail

Wed Aug 2 19:35:36 UTC 2023

I did read the FAQ and did clean (--all all) and try again, only to fail
again. Only after the selfupdate did it work. I guess I'm not motivated
enough to try against the bad version manually at this time.

I am not worried about trufflehog working with any specific go version. Of
course once it's built it doesn't matter what version of go I have
installed. And I'm not worried about using a non-latest version of
trufflehog. I do in fact want the latest, I just neglected to selfupdate
first. But I figured even without selfupdate, the install of the older
version _should have worked_. I thought it was worth reporting.

What I'm most worried about is that `port install trufflehog` blindly
updated my installed go without asking or telling me first. Generally
speaking, when I update package X, I believe port is generally good at
telling me it also needs to upgrade Y and Z before blindly proceeding to do
more than I explicitly asked it to do. But I suspect that because
trufflehog is built locally from source, it needed to upgrade a *build*
dependency and for that it didn't bother to confirm first.

thanks

On Wed, Aug 2, 2023 at 6:21 AM Dave Allured - NOAA Affiliate <
dave.allured at noaa.gov> wrote:

> Please read about checksum failures and when to build from source, in the
> Macports FAQ.  I would guess that you experienced either an intermittent
> server outage, or a stealth update.  You can self diagnose this by trying a
> manual download with curl.  Examine the result file.
>
> Macports is designed to keep users in sync with the latest versions.
> Please read about how to use older port versions in the HOWTO section.  In
> general, using a down level version is not recommended, especially for a
> security tool.  But it is possible.
>
> I would not worry about the golang update.  Either version of trufflehog
> will probably work just fine with either version of golang.
>
>
> On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users <
> macports-users at lists.macports.org> wrote:
>
>> excuse the long copy paste at the end, but this way you can see exactly
>> what happened.
>>
>> `sudo port install trufflehog` failed with source checksum failures. i
>> don't know if the checksums were actually bad or if this is an anomaly when
>> fetching the non-latest version. it does mean that i can never install that
>> version of trufflehog, which is sad.
>>
>> anyway i got a hint to update first, so than after `selfupdate` (only! no
>> port upgrades!) and another `sudo port install trufflehog` it worked.
>>
>> BUT it updated my golang!! this reminds me of brew. :( :~(
>>
>> I guess trufflehog is built from source? and it is hard coded to require
>> go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime)
>> packages at least not without the Y/n prompt like on other implicit
>> upgrades.
>>
>> I then discovered I merely had to activate the older version. OK, but the
>> install/build process should have done this at the end, since I didn't
>> request that upgrade.
>>
>> 1. did the failed version (3.45.3) of trufflehog actually have some error
>> with checksum? or is this a macports anomaly.
>> 2. do you agree macports has a bug re: forced, non-prompted, build deps
>> upgrades?
>>
>> thanks
>>
>> [frank at mbp:~]$ sudo port install trufflehog
>> Password:
>> --->  Computing dependencies for trufflehog
>> --->  Fetching archive for trufflehog
>> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
>> https://packages.macports.org/trufflehog
>> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
>> http://mirror.fcix.net/macports/packages/trufflehog
>> --->  Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from
>> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog
>> --->  Fetching distfiles for trufflehog
>> --->  Attempting to fetch trufflehog-3.45.3.tar.gz from
>> https://distfiles.macports.org/go
>> --->  Attempting to fetch trufflehog-3.45.3.tar.gz from
>> https://github.com/trufflesecurity/trufflehog/archive/v3.45.3
>> --->  Verifying checksums for trufflehog
>> Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz
>> Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz
>> Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz
>> Error: Failed to checksum trufflehog: Unable to verify file checksums
>> Error: See
>> /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log
>> for details.
>> Error: Follow https://guide.macports.org/#project.tickets if you believe
>> there is a bug.
>> Error: Processing of port trufflehog failed
>> [frank at mbp:~]$ sudo port selfupdate
>> --->  Updating MacPorts base sources using rsync
>> MacPorts base version 2.8.1 installed,
>> MacPorts base version 2.8.1 downloaded.
>> --->  Updating the ports tree
>> --->  MacPorts base is already the latest version
>>
>> The ports tree has been updated. To upgrade your installed ports, you
>> should run
>>   port upgrade outdated
>> [frank at mbp:~]$ sudo port install trufflehog
>> Portfile changed since last build; discarding previous state.
>> --->  Fetching archive for go
>> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
>> https://packages.macports.org/go
>> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
>> http://mirror.fcix.net/macports/packages/go
>> --->  Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from
>> https://ywg.ca.packages.macports.org/mirror/macports/packages/go
>> --->  Fetching distfiles for go
>> --->  Attempting to fetch go1.20.7.src.tar.gz from
>> https://distfiles.macports.org/go
>> --->  Attempting to fetch go1.20.7.darwin-amd64.tar.gz from
>> https://distfiles.macports.org/go
>> --->  Verifying checksums for go
>> --->  Extracting go
>> --->  Configuring go
>> --->  Building go
>> --->  Staging go into destroot
>> --->  Installing go @1.20.7_0
>> --->  Cleaning go
>> --->  Deactivating go @1.20.6_0
>> --->  Cleaning go
>> --->  Activating go @1.20.7_0
>> --->  Cleaning go
>> --->  Computing dependencies for trufflehog
>> --->  Fetching archive for trufflehog
>> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
>> https://packages.macports.org/trufflehog
>> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
>> http://mirror.fcix.net/macports/packages/trufflehog
>> --->  Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from
>> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog
>> --->  Fetching distfiles for trufflehog
>> --->  Attempting to fetch trufflehog-3.46.2.tar.gz from
>> https://distfiles.macports.org/go
>> --->  Verifying checksums for trufflehog
>> --->  Extracting trufflehog
>> --->  Configuring trufflehog
>> --->  Building trufflehog
>> --->  Staging trufflehog into destroot
>> --->  Installing trufflehog @3.46.2_0
>> --->  Activating trufflehog @3.46.2_0
>> --->  Cleaning trufflehog
>> --->  Scanning binaries for linking errors
>> --->  No broken files found.
>> --->  No broken ports found.
>> [frank at mbp:~]$ go version
>> go version go1.20.7 darwin/amd64
>> [frank at mbp:~]$ sudo port activate go @1.20.6_0
>> --->  Deactivating go @1.20.7_0
>> --->  Cleaning go
>> --->  Activating go @1.20.6_0
>> --->  Cleaning go
>> [frank at mbp:~]$
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20230802/486cd1ae/attachment.htm>