New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: cmd/go: allow multiple checksum databases in GOSUMDB #44936
Comments
I had not heard yet of internal sumdb deployments, so I would love to hear more about how and why you set it up, and your experience with it. I assume it also answers for public modules, in addition to internal ones? Does it obtain those checksums from Is the issue that you want clients to fallback to |
The internal sumdb server for internal public modules to ensure the integrity of the module. For example, in my company there are more than 30 thousand developers, if someone retag a module, it's very easy to find it using internal sumdb.
No,
If I want to compile a my own project on the weekend, I don’t want to connect to the company VPN. But I need to change the environment now. |
What is the threat model where an internal sumdb is needed for internal packages? |
Suppose a project A of my team depends on the project B v1.0.0 of another team, if the team modified B v1.0.0 quietly, our team can easily find the change via internal sumdb service. The quietly change (remake version) may cause irreparable damage, although we all know that remake a version is not recommended. |
Project A's go.sum file will detect the case of B v1.0.0 changing underfoot. The checksum database is for when you are introducing a new dependency, to make sure you get the one others are getting (no man-in-the-middle attacks on you). |
Yes, but module B is an internal package, it can't be logged in go.sum file. |
It can, and I believe it does, get logged to go.sum. |
This proposal has been added to the active column of the proposals project |
Based on the discussion above, this proposal seems like a likely decline. |
No change in consensus, so declined. |
Maybe we need to support to configure
GOSUMDB
in a list format, just likeGOPROXY
. For example:We maintain an internal sumdb service for all Go developers in our company for security, and we hope they can build their personal project outside the company, but thy need to change
GOSUMDB
back tosum.golang.org
now since they can't access the internal sumdb service.Like
GOPROXY
, Successful HTTP responses must have the status code 200 (OK). Redirects (3xx) are followed. Responses with status codes 4xx and 5xx are treated as errors. The error codes 404 (Not Found) and 410 (Gone) indicate that the requested data is not available on the server, but it may be found elsewhere.List elements may be separated by commas (,) or pipes (|), which determine error fallback behavior. When a URL is followed by a comma, the go command falls back to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL is followed by a pipe, the go command falls back to later sources after any error, including non-HTTP errors such as timeouts.
The text was updated successfully, but these errors were encountered: