<div dir="ltr"><div dir="ltr">Please read about checksum failures and when to build from source, in the Macports FAQ. I would guess that you experienced either an intermittent server outage, or a stealth update. You can self diagnose this by trying a manual download with curl. Examine the result file.</div><div dir="ltr"><br></div><div dir="ltr">Macports is designed to keep users in sync with the latest versions. Please read about how to use older port versions in the HOWTO section. In general, using a down level version is not recommended, especially for a security tool. But it is possible.</div><div dir="ltr"><br></div><div>I would not worry about the golang update. Either version of trufflehog will probably work just fine with either version of golang.</div><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users <<a href="mailto:macports-users@lists.macports.org">macports-users@lists.macports.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">excuse the long copy paste at the end, but this way you can see exactly what happened.<div><br></div><div>`sudo port install trufflehog` failed with source checksum failures. i don't know if the checksums were actually bad or if this is an anomaly when fetching the non-latest version. it does mean that i can never install that version of trufflehog, which is sad.</div><div><br></div><div>anyway i got a hint to update first, so than after `selfupdate` (only! no port upgrades!) and another `sudo port install trufflehog` it worked.</div><div><br></div><div>BUT it updated my golang!! this reminds me of brew. :( :~(</div><div><br></div><div>I guess trufflehog is built from source? and it is hard coded to require go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) packages at least not without the Y/n prompt like on other implicit upgrades.</div><div><br></div><div>I then discovered I merely had to activate the older version. OK, but the install/build process should have done this at the end, since I didn't request that upgrade.</div><div><br></div><div>1. did the failed version (3.45.3) of trufflehog actually have some error with checksum? or is this a macports anomaly.</div><div>2. do you agree macports has a bug re: forced, non-prompted, build deps upgrades?</div><div><br></div><div>thanks</div><div><br></div><div><font face="monospace">[frank@mbp:~]$ sudo port install trufflehog<br>Password:<br>---> Computing dependencies for trufflehog<br>---> Fetching archive for trufflehog<br>---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from <a href="https://packages.macports.org/trufflehog" target="_blank">https://packages.macports.org/trufflehog</a><br>---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from <a href="http://mirror.fcix.net/macports/packages/trufflehog" target="_blank">http://mirror.fcix.net/macports/packages/trufflehog</a><br>---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from <a href="https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog" target="_blank">https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog</a><br>---> Fetching distfiles for trufflehog<br>---> Attempting to fetch trufflehog-3.45.3.tar.gz from <a href="https://distfiles.macports.org/go" target="_blank">https://distfiles.macports.org/go</a><br>---> Attempting to fetch trufflehog-3.45.3.tar.gz from <a href="https://github.com/trufflesecurity/trufflehog/archive/v3.45.3" target="_blank">https://github.com/trufflesecurity/trufflehog/archive/v3.45.3</a><br>---> Verifying checksums for trufflehog<br>Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz<br>Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz<br>Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz<br>Error: Failed to checksum trufflehog: Unable to verify file checksums<br>Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log for details.<br>Error: Follow <a href="https://guide.macports.org/#project.tickets" target="_blank">https://guide.macports.org/#project.tickets</a> if you believe there is a bug.<br>Error: Processing of port trufflehog failed<br>[frank@mbp:~]$ sudo port selfupdate<br>---> Updating MacPorts base sources using rsync<br>MacPorts base version 2.8.1 installed,<br>MacPorts base version 2.8.1 downloaded.<br>---> Updating the ports tree<br>---> MacPorts base is already the latest version<br><br>The ports tree has been updated. To upgrade your installed ports, you should run<br> port upgrade outdated<br>[frank@mbp:~]$ sudo port install trufflehog<br>Portfile changed since last build; discarding previous state.<br>---> Fetching archive for go<br>---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from <a href="https://packages.macports.org/go" target="_blank">https://packages.macports.org/go</a><br>---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from <a href="http://mirror.fcix.net/macports/packages/go" target="_blank">http://mirror.fcix.net/macports/packages/go</a><br>---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from <a href="https://ywg.ca.packages.macports.org/mirror/macports/packages/go" target="_blank">https://ywg.ca.packages.macports.org/mirror/macports/packages/go</a><br>---> Fetching distfiles for go<br>---> Attempting to fetch go1.20.7.src.tar.gz from <a href="https://distfiles.macports.org/go" target="_blank">https://distfiles.macports.org/go</a><br>---> Attempting to fetch go1.20.7.darwin-amd64.tar.gz from <a href="https://distfiles.macports.org/go" target="_blank">https://distfiles.macports.org/go</a><br>---> Verifying checksums for go<br>---> Extracting go<br>---> Configuring go<br>---> Building go<br>---> Staging go into destroot<br>---> Installing go @1.20.7_0<br>---> Cleaning go<br>---> Deactivating go @1.20.6_0<br>---> Cleaning go<br>---> Activating go @1.20.7_0<br>---> Cleaning go<br>---> Computing dependencies for trufflehog<br>---> Fetching archive for trufflehog<br>---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from <a href="https://packages.macports.org/trufflehog" target="_blank">https://packages.macports.org/trufflehog</a><br>---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from <a href="http://mirror.fcix.net/macports/packages/trufflehog" target="_blank">http://mirror.fcix.net/macports/packages/trufflehog</a><br>---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from <a href="https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog" target="_blank">https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog</a><br>---> Fetching distfiles for trufflehog<br>---> Attempting to fetch trufflehog-3.46.2.tar.gz from <a href="https://distfiles.macports.org/go" target="_blank">https://distfiles.macports.org/go</a><br>---> Verifying checksums for trufflehog<br>---> Extracting trufflehog<br>---> Configuring trufflehog<br>---> Building trufflehog<br>---> Staging trufflehog into destroot<br>---> Installing trufflehog @3.46.2_0<br>---> Activating trufflehog @3.46.2_0<br>---> Cleaning trufflehog<br>---> Scanning binaries for linking errors<br>---> No broken files found.<br>---> No broken ports found.<br>[frank@mbp:~]$ go version<br>go version go1.20.7 darwin/amd64<br>[frank@mbp:~]$ sudo port activate go @1.20.6_0<br></font></div><font face="monospace">---> Deactivating go @1.20.7_0<br>---> Cleaning go<br>---> Activating go @1.20.6_0<br>---> Cleaning go<br>[frank@mbp:~]$</font></div>
</blockquote></div></div>