Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: verifying github.com/google/cadvisor@v0.49.1: checksum mismatch #3508

Open
mangelajo opened this issue Mar 26, 2024 · 1 comment
Open

SECURITY: verifying github.com/google/cadvisor@v0.49.1: checksum mismatch #3508

mangelajo opened this issue Mar 26, 2024 · 1 comment

Comments

@mangelajo
Copy link

We are using cadvisor on a project, and suddenly we are getting a hash missmatch:

verifying github.com/google/cadvisor@v0.49.1: checksum mismatch
	downloaded: h1:L9S9Pdb/uu1HA2PGmgBG4q/V3s9Ct3VWsLicarHVvfQ=
	go.sum:     h1:9M++63nWvdq6Oci6wUDuAfQNTZpuz1ZObln0Bhs9xN0=

I wanted to confirm if the release has been re-tagged, if it's a know developer action this is ok. If not we could be facing a security issue.

I had the previous hash version for v0.49.1 stored on a different computer, so I decided to run a diff between the new hash of 0.49.1, this is what I get:

[majopela@centauro google]$ diff -r cadvisor@v0.49.1 cadvisor@v0.49.1_sec_warnig/
diff -r cadvisor@v0.49.1/build/release.sh cadvisor@v0.49.1_sec_warnig/build/release.sh
74c74
<   docker buildx build --platform "linux/${arch}" --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .
---
>   docker buildx build --platform "linux/${arch}" --provenance=false --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .

It seems to be related to the provenance check of the images used in the build process or as base images, which is security-related.

Thank you
@mangelajo
Copy link
Author

It seems to be related to: 570d8a7

If this was intentional, for my experience, never re-tag an existing tag, caches in github, and in go proxies will make a big mess, we should always create a new minor version.

mangelajo added a commit to flightctl/flightctl that referenced this issue Mar 26, 2024
@mangelajo
Revert cadvisor to v0.49.0
8e94612 
v0.49.1 seems to have been re-tagged upstream and the
caching of goproxies and github is causing issues.

We should stay on v0.49.0 until v0.49.2 is released.

Related-Issue: google/cadvisor#3508

Signed-off-by: Miguel Angel Ajo Pelayo <majopela@redhat.com>
@mangelajo mangelajo mentioned this issue Mar 26, 2024
Merged
avishayt pushed a commit to flightctl/flightctl that referenced this issue Mar 26, 2024
@mangelajo @avishayt
Revert cadvisor to v0.49.0
f588eab 
v0.49.1 seems to have been re-tagged upstream and the
caching of goproxies and github is causing issues.

We should stay on v0.49.0 until v0.49.2 is released.

Related-Issue: google/cadvisor#3508

Signed-off-by: Miguel Angel Ajo Pelayo <majopela@redhat.com>
@AllanOricil AllanOricil mentioned this issue Apr 10, 2024
Open
@djaglowski djaglowski mentioned this issue Apr 15, 2024
Closed
@atoulme atoulme mentioned this issue Apr 15, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mangelajo