Upgrade dependency "github.com/envoyproxy/go-control-plane"

[Ben131-Go]

Background

Repo github.com/grpc/test-infra depends on github.com/envoyproxy/go-control-plane@v0.10.0.

https://github.com/grpc/test-infra/blob/master/go.mod#L7

However, comparing version v0.10.0 of github.com/envoyproxy/go-control-plane from proxy.golang.org and github, there are inconsistencies.

commit time of the copy on github.com

"committer": {
      "name": "GitHub",
      "email": "noreply@github.com",
      "date": "2021-11-01T15:26:26Z"
    }

commit time of the copy on proxy.golang.org

{"Version":"v0.10.0","Time":"2021-10-28T20:49:26Z"}

So the checksum from the code in github does not match the checksum saved in sum.golang.org. The v0.10.0 tag of github.com/envoyproxy/go-control-plane might have been retagged after a minor edition. Depending upon such inconsistent tag version may result in some unexpected errors as well as build errors due to different proxy settings.

For example, when someone who does not use proxy.golang.org to download dependencies attempts to get github.com/envoyproxy/go-control-plane@v0.10.0, the following errors occur.

go: downloading github.com/envoyproxy/go-control-plane v0.10.0
go: github.com/envoyproxy/go-control-plane@v0.10.0: verifying module: checksum mismatch
        downloaded: h1:ZyeIGk3fCB8NNzihPKZsCNCc7oTz7IgMsEy0E2G3iu4=
        sum.golang.org: h1:WVt4HEPbdRbRD/PKKPbPnIVavO6gk/h673jWyIJ016k=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

It is unwise to depend on such tag releases.

Solution

1. Bump the version of dependency github.com/envoyproxy/go-control-plane

I would recommend bumping the version of github.com/envoyproxy/go-control-plane to a new release to ensure dependency copy in proxy.golang.org and github in sync.

References

• https://proxy.golang.org/