I had not heard yet of internal sumdb deployments, so I would love to hear more about how and why you set it up, and your experience with it. I assume it also answers for public modules, in addition to internal ones? Does it obtain those checksums from sum.golang.org?

Is the issue that you want clients to fallback to sum.golang.org when your internal sumdb is not available? Why/when would it not be available? Is it when a VPN is not active, for example?

I had not heard yet of internal sumdb deployments, so I would love to hear more about how and why you set it up, and your experience with it. I assume it also answers for public modules, in addition to internal ones?

The internal sumdb server for internal public modules to ensure the integrity of the module. For example, in my company there are more than 30 thousand developers, if someone retag a module, it's very easy to find it using internal sumdb.

Does it obtain those checksums from sum.golang.org?

No, sum.golang.org can not recored internal modules of course.

Is the issue that you want clients to fallback to sum.golang.org when your internal sumdb is not available? Why/when would it not be available? Is it when a VPN is not active, for example?

If I want to compile a my own project on the weekend, I don’t want to connect to the company VPN. But I need to change the environment now.

What is the threat model where an internal sumdb is needed for internal packages?
Is the idea to detect attackers who have taken control of your own internal source code repositories?
If they have done that, then I'm a little skeptical about assuming they don't also take control of the sumdb.

What is the threat model where an internal sumdb is needed for internal packages?

Suppose a project A of my team depends on the project B v1.0.0 of another team, if the team modified B v1.0.0 quietly, our team can easily find the change via internal sumdb service.

The quietly change (remake version) may cause irreparable damage, although we all know that remake a version is not recommended.

Project A's go.sum file will detect the case of B v1.0.0 changing underfoot.

The checksum database is for when you are introducing a new dependency, to make sure you get the one others are getting (no man-in-the-middle attacks on you).

Project A's go.sum file will detect the case of B v1.0.0 changing underfoot.

The checksum database is for when you are introducing a new dependency, to make sure you get the one others are getting (no man-in-the-middle attacks on you).

Yes, but module B is an internal package, it can't be logged in go.sum file.

Yes, but module B is an internal package, it can't be logged in go.sum file.

It can, and I believe it does, get logged to go.sum.
Do you have evidence to the contrary?

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

Based on the discussion above, this proposal seems like a likely decline.
— rsc for the proposal review group

No change in consensus, so declined.
— rsc for the proposal review group