Vault: v1.5.2 can't be built from source due to missing repository

Created on 25 Aug 2020  路  7Comments  路  Source: hashicorp/vault

The tag for v1.5.2 appears to reference a repository which doesn't exist:

https://github.com/hashicorp/vault/blob/v1.5.2/go.sum#L550-L551

github.com/hashicorp/vault-plugin-auth-gcpent v0.0.0-20200721115240-07ff53341dfe h1:N9ueuVhwZOtZjozjXwy/wxNCQdf+d+2UKlEexnmFFqM=
github.com/hashicorp/vault-plugin-auth-gcpent v0.0.0-20200721115240-07ff53341dfe/go.mod h1:sHDguHmyGScoalGLEjuxvDCrMPVlw2c3f+ieeiHcv6w=

GitHub reports this as 404 at the moment:

https://github.com/hashicorp/vault-plugin-auth-gcpent/

picture swills

Most helpful comment

Yes, that's correct. It was a decision between not being able to build the tags exactly, or having the git tag SHAs not match the released binary SHAs. Historically, we've prioritized having the SHAs match.

That decision, however, is going against your chosen license, which says that you have to provide the source code

that means that this particular release does not comply with your license.

picture igalic on 26 Aug 2020
👍4

All 7 comments

Seeing the same.

herbygillot picture herbygillot on 25 Aug 2020

Hi @swills & @herbygillot ,

We had security content in 1.5.2, 1.5.1, and the older releases that we also released last week. Due to the nature of the vulnerability, we developed fixes for it in private repositories - one fix in a private copy of Vault and one fix in a private copy of the GCP auth plugin. Unfortunately, the release depends on the private copy of the GCP auth plugin. To ensure the SHAs of the binary match the GitHub tag SHA, we left this private dependency.

The private code has been merged to the public GCP auth plugin repo (https://github.com/hashicorp/vault-plugin-auth-gcp/commit/07ff53341dfe7f47daff989e9381ee68fecb8941), so you can now view the changes.

We plan to release 1.5.3 soon. For that, we'll release from the public Vault and GCP auth plugin repositories and you will be able to build from that tag. In the meantime, if you want to build 1.5.2 you'll need to update the GCP auth plugin dependency to point to the public repository.

We understand this is undesirable, but think this was the right decision. I'm going to close this, but feel free to re-open if you have follow up questions.

mladlow picture mladlow on 25 Aug 2020

Does this mean we won't be able to build 1.5.1 and 1.5.2 from source?

swills picture swills on 25 Aug 2020

Yes, that's correct. It was a decision between not being able to build the tags exactly, or having the git tag SHAs not match the released binary SHAs. Historically, we've prioritized having the SHAs match.

mladlow picture mladlow on 25 Aug 2020

Ok. FWIW, it might be good to have a CI test that tests the public OSS version.

swills picture swills on 25 Aug 2020
👍1

Yes, that's correct. It was a decision between not being able to build the tags exactly, or having the git tag SHAs not match the released binary SHAs. Historically, we've prioritized having the SHAs match.

That decision, however, is going against your chosen license, which says that you have to provide the source code

that means that this particular release does not comply with your license.

igalic picture igalic on 26 Aug 2020
👍4

Hi @igalic, as I mentioned in my first response, the source code is now available in both the Vault and GCP Auth Plugin repositories.

mladlow picture mladlow on 26 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

passwordleak picture passwordleak  路  3Comments
tustvold picture tustvold  路  3Comments
trodemaster picture trodemaster  路  3Comments
andris9 picture andris9  路  3Comments
0x9090 picture 0x9090  路  3Comments