xcaddy mentions a version of a module that doesn't exist?

This issue has been created since 2021-08-18.

UPDATE: Resolved. I don't know the cause of the version bumping behaviour but assume it's unrelated to Caddy and to do with Go get functionality.

I was able to get a successful build of the module by overriding problematic dependencies versions with newer ones or referencing git commits (not mentioned on xcaddy README as possible). That should probably be added to the README for troubleshooting :)


Recently the Souin Caddy plugin was updated and was meant to fix a verifying module: checksum mismatch error, but when I attempted to build that module again (without a version in --with) I got the same build failure.

No new tagged release was made on the project, I tried building the older tagged commit, but it failed as expected.

It's not documented in this projects README, but prior issues have mentioned referencing a specific commit instead, so I tried that:

ARG CADDY_VERSION=2.4.3
FROM caddy:${CADDY_VERSION}-builder AS builder
ARG [email protected]

RUN xcaddy build \
    --with github.com/darkweak/souin/plugins/caddy${SOUIN_VERSION}

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

This fails with the same error and checksum mismatch values, presumably because the plugins go.mod continues to reference the darkweak/[email protected] dependency that triggered the mismatch errors experienced?

go get: added github.com/caddyserver/caddy/v2 v2.4.3                                                                                                                                                                        
2021/08/17 23:40:45 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/darkweak/souin/plugins/[email protected]                                                               
go: downloading github.com/darkweak/souin/plugins/caddy v0.0.0-20210817165413-ed8b9e9fd2d4                                                                                                                                  
go: downloading github.com/darkweak/souin v1.5.3-0.20210817165413-ed8b9e9fd2d4                                                                                                                                              
go: downloading github.com/darkweak/souin v1.5.2                                                                                                                                                                            
github.com/darkweak/souin/plugins/caddy: github.com/darkweak/[email protected]: verifying module: checksum mismatch                                                                                                              
    downloaded: h1:7Hm4N7WS7GDk4KANPg3LGk0m2AGfIrIX1DHkytWVATw=
    sum.golang.org: h1:WS/Q+qq7c+dIIw/abYYtWMpfj1ucjhfvaabW5Q+K6tc=

SECURITY ERROR                                                                                                                                                                                                              
This download does NOT match the one reported by the checksum server.                                                                                                                                                       
The bits may have been replaced on the origin server, or an attacker may                                                                                                                                                    
have intercepted the download attempt. 

The odd Caddy versioning I have seen and I assume is related to this reason (and nothing to do with xcaddy but how Go get works?), but why is the souin package mentioned twice, once with the non-existent (atm) v1.5.3-* tag, then the existing v1.5.2 tag (specified in the go.mod):

go: downloading github.com/darkweak/souin/plugins/caddy v0.0.0-20210817165413-ed8b9e9fd2d4                                                                                                                                  
go: downloading github.com/darkweak/souin v1.5.3-0.20210817165413-ed8b9e9fd2d4      

Is this something Go get is doing "bumping" a fake version because I provided a git commit hash after the commit of the latest tagged release? It then overrides that with the pinned version in go.mod causing the mismatch?

Or is this an issue on the maintainers end that they can fix? (related issue on their repo)

polarathene wrote this answer on 2021-08-18

Just for clarity, here is the output for --with pinning to @v1.5.2:

go get: added github.com/caddyserver/caddy/v2 v2.4.3                                                                                                                                                                        
2021/08/17 23:34:38 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/darkweak/souin/plugins/[email protected]                                                                                                 
go: downloading github.com/darkweak/souin v1.5.2                                                                                                                                                                            
go get github.com/darkweak/souin/plugins/[email protected]: github.com/darkweak/[email protected]: verifying module: checksum mismatch 
    downloaded: h1:7Hm4N7WS7GDk4KANPg3LGk0m2AGfIrIX1DHkytWVATw=
    sum.golang.org: h1:WS/Q+qq7c+dIIw/abYYtWMpfj1ucjhfvaabW5Q+K6tc=

And without any specific tag/commit:

go get: added github.com/caddyserver/caddy/v2 v2.4.3                                                                                                                                                                        
2021/08/17 23:23:22 [INFO] exec (timeout=0s): /usr/local/go/bin/go get -d -v github.com/darkweak/souin/plugins/caddy                                                                                                        
go: downloading github.com/darkweak/souin/plugins/caddy v0.0.0-20210817165413-ed8b9e9fd2d4                                                                                                                                  
go: downloading github.com/darkweak/souin v1.5.2                                                                                                                                                                            
github.com/darkweak/souin/plugins/caddy: github.com/darkweak/[email protected]: verifying module: checksum mismatch 
    downloaded: h1:7Hm4N7WS7GDk4KANPg3LGk0m2AGfIrIX1DHkytWVATw=
    sum.golang.org: h1:WS/Q+qq7c+dIIw/abYYtWMpfj1ucjhfvaabW5Q+K6tc=
polarathene wrote this answer on 2021-08-18

I figured out a way to address the issue and progress the build further. I did not realize I could override the dependency version with --with lines to xcaddy. It might help to add that as a troubleshooting / workaround tip?

ARG CADDY_VERSION=2.4.3
FROM caddy:${CADDY_VERSION}-builder AS builder
ARG [email protected]

RUN xcaddy build \
    --with github.com/darkweak/souin${SOUIN_VERSION} \
    --with github.com/darkweak/souin/plugins/caddy${SOUIN_VERSION}

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

This still fails, but appears to be an issue for the maintainer of the module to look into and resolve, or possibly another module I can override as the error looks like it's referencing an rc version of a dependency for some reason..


EDIT: I was able to resolve that issue too in the same manner. For some reason the plugin has a go.sum file with all 3 major versions of the package (Badger), I think it only uses the latest major version and this is a issue with housekeeping of such a file (not familiar with Go dev, in Rust and NodeJS there's no need to commit a vendor dir of packages/dependencies, which on their project creates rather noisy diffs in their PRs).

In this case, I had to override the 2nd major version release with the latest v2, doing so for any other version had no effect as they're presumably distinct (not sure how that works with imports, or if these older versions are even used and throwing build errors for unused dependencies).

ARG CADDY_VERSION=2.4.3
FROM caddy:${CADDY_VERSION}-builder AS builder
ARG [email protected]

RUN xcaddy build \
    --with github.com/darkweak/souin${SOUIN_VERSION} \
    --with github.com/dgraph-io/badger/v2 \
    --with github.com/darkweak/souin/plugins/caddy${SOUIN_VERSION}

FROM caddy:${CADDY_VERSION}-alpine

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
More Details About Repo
Owner Name caddyserver
Repo Name xcaddy
Full Name caddyserver/xcaddy
Language Go
Created Date 2020-03-21
Updated Date 2022-09-22
Star Count 381
Watcher Count 14
Fork Count 72
Issue Count 3

YOU MAY BE INTERESTED

Issue Title Created Date Comment Count Updated Date
WhatsApp, data model design 1 2022-09-05 2022-09-20
Format-specific fontsUrl 1 2022-05-12 2022-09-22
Some problems of mininet-wifi 3 2022-04-20 2022-09-17
Не открывается некоторый перечень тестов 2 2022-03-25 2022-07-19
Detect changes in file path between 2 tags 1 2021-09-16 2022-08-15
fatal: bad revision 'HEAD~1' 2 2021-04-03 2022-09-03
[Feature Request] File logging 1 2021-10-19 2022-08-23
Add link to github organization 0 2021-02-19 2022-09-29
Address security issue 1 2021-01-30 2022-09-07
implement design 2 2020-03-24 2021-12-26
UntrackMe android app to redirect 1 2021-12-23 2022-08-30
Migrate to the new Sonatype infra 2 2021-12-15 2022-08-05
Local Home app IDENTIFY requests not showing up 1 2020-12-30 2022-08-20
How to make private LuaRocks repository server 2 2020-06-09 2022-09-28
Fix CWE-470 in com/zaxxer/hikari/util/PropertyElf.java: 158 0 2022-08-23 2022-09-15
error end of "wsp:Policy" element in WSDL 2 2022-07-12 2022-08-15
How to change the namespace prefix with the option XmlNamespacePrefixOverrides 4 2022-06-02 2022-08-15
Error with Basic Authentication 2 2022-08-02 2022-08-15
Need to match request from older wcf any thoughts help 1 2022-07-27 2022-08-15
Promise? Future? Which is for what cases? 2 2020-11-05 2022-09-20
How do I configure lspsaga 3 2021-11-11 2022-09-10
[css] 第989天 哪个CSS属性用于反向运行动画? 0 2021-12-30 2022-09-12
[BUG-REPORT] Using Vaex in Readthedocs examples 1 2021-11-15 2022-08-21
vaex sort values 1 2021-11-16 2022-01-14
Popup in serverf4.org, streamm4u.club 0 2021-10-28 2022-07-04
Failed Stage: Audio stream start - GFE 3.22.0.32 1 2021-06-20 2022-08-08
Save pointcloud (RGB) without meshing? 14 2020-11-09 2022-07-19
Creation of manuals for user, admin and develop 3 2022-08-03 2022-09-05
Resolve References using Style Dictionary 8 2022-06-08 2022-08-23
version 1.0.3 risk of memory leak in monitor on RestTemplate 1 2022-03-18 2022-09-27
NullPointerException in CheckListView when emptying item list 2 2021-03-23 2022-08-06
[feat] interactive input when `init --apply` 2 2022-07-27 2022-09-02
Add syntex check flag to Promtail command line 0 2022-08-10 2022-08-23
Lists are not retained after paste from Office 365 5 2021-02-09 2022-09-10
Change API server from AWS to GCP 0 2020-12-17 2022-04-12
Use Kind instead of MIME Type in file preview 0 2021-06-18 2022-09-20
How to make modbus memory map? 0 2021-10-05 2022-09-10
URL Cleanup 0 2019-03-21 2022-01-21
Add Volume Mounting Support for Build Steps 0 2020-07-13 2022-09-16
Fix apply-changes script 0 2018-11-01 2022-09-20
Is there a playground for neo? or slack Channel? 2 2021-04-12 2022-09-18
Widgets are sometimes invisible 11 2021-06-19 2022-08-10
`BitSlice` should expose `as_slice` with same semantics as `BitVec` 3 2020-03-28 2022-09-07
Lesson 4/05 Bageleshop doesn't check if this is the actual user. 0 2017-05-09 2022-09-13
Cypress intercept corrupting msgp file 3 2022-09-19 2022-09-24
The application package name must be whitelisted 9 2020-01-16 2022-09-19
Backport of ui: extract `<Table>` into release/0.6.x 2 2021-12-06 2022-09-19
Interactive menu for delete contexts. 3 2021-07-01 2022-09-17
Javascript navigator.language & navigator.languages contain wrong information 3 2022-07-28 2022-09-27
[Release Engineering] Reconsider how we organise our code and cut our releases 1 2022-02-15 2022-09-07