Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: package tools #37166

Closed
rbucker opened this issue Feb 11, 2020 · 2 comments
Closed

proposal: package tools #37166

rbucker opened this issue Feb 11, 2020 · 2 comments

Comments

@rbucker
Copy link

rbucker commented Feb 11, 2020

BACKGROUND

My development environment just ran out of disk space and when I checked I determined that $HOME/go was the culprit. I started to look at the contents only to discover that there were so
many packages from places I've never hear of. Granted some were OK because they were legit. For example:

cloud.google.com

but others like a seriously sketchy

go.uber.org
opencensus.io
gocloud

Feature request(s)

I do not doubt that is a complex ask but it is a serious flaw and potentially worse that docker hub

  • need a white list of packages or git repos
  • need an abort on nth level deps
  • need tools to fork a project tree recursively
  • need a way to determine if some set of libs could potentially communicate outside their sandbox
@gopherbot gopherbot added this to the Proposal milestone Feb 11, 2020
@rsc
Copy link
Contributor

rsc commented Feb 12, 2020

This is definitely a general problem we are aware of. See https://research.swtch.com/deps for example.
Custom checks can be built on top of the go command output of things like go list -m all or go mod graph.
If you run a custom module proxy, like Athens, you can restrict the set of modules available.
Or you can download them and then use go list -m all to decide if you like the set.
(Note that downloading never runs code from the modules, unlike in other systems.)

As for "need a way to determine if some set of libs could potentially communicate outside their sandbox", there's really no sandbox at all, so this unfortunately isn't applicable.

In general this is not really a proposal - nothing concrete is being proposed. If you have a more specific proposal, please let us know, but this seems like a likely decline.

@rsc
Copy link
Contributor

rsc commented Feb 26, 2020

No change in consensus, so declined.

@rsc rsc closed this as completed Feb 26, 2020
@rsc rsc moved this from Likely Decline to Declined in Proposals (old) Feb 26, 2020
@golang golang locked and limited conversation to collaborators Feb 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
No open projects
Development

No branches or pull requests

3 participants