Go Module Mirror and Checksum Database in Beta!
Katie Hockman
Hey Gophers!
In the blog post Go Modules in 2019, we announced our intent to provide a module mirror for accelerating Go module downloads, an index for discovering new modules, and a checksum database for authenticating module content.
We are excited to share that our module mirror, index, and checksum database are now in beta, and are currently the default at tip for Go 1.13 development branch module-users!
Our privacy policy explains how we collect and use your information. The privacy policy for all of these services is proxy.golang.org/privacy.
The module mirror at proxy.golang.org serves the go command’s proxy protocol. The Go 1.13 development tree uses this mirror for all module downloads by default. See the go command documentation at tip for details. To make earlier versions of the go command use it (when in module mode), set GOPROXY=https://proxy.golang.org.
The checksum database at sum.golang.org helps verify new downloads from proxies or direct fetches, serving the URLs described in the Secure the Public Go Module Ecosystem proposal. The Go 1.13 development tree checks new module versions against the checksum database by default. Earlier versions of the go command cannot directly use the checksum database.
See the go command documentation at tip for details.
If you are using Go 1.12 or earlier, you can manually check a go.sum file against the checksum database with gosumcheck:
go get golang.org/x/exp/sumdb/gosumcheck
gosumcheck /path/to/go.sum
The module index at index.golang.org serves a feed of module versions in the order they are discovered. For example, see https://index.golang.org/index?since=2019-03-04T18:00:15.161182-07:00
We hope you’ll try out these new services! Please file issues if you spot them, with the title prefix “proxy.golang.org:” (or index.golang.org, or sum.golang.org). We look forward to hearing about how it’s working for you!
Cheers,
Katie Hockman
wilk
> The module mirror at proxy.golang.org serves the go command=E2=80=99s proxy
> downloads by default. See the go command documentation at tip
Could you explain why this option will be default and not opt-in ?
It can break current workflow, for example with private repos.
Thanks
--
William Dodé
Amnon Baron Cohen
The current behavior is not ideal from a security point of view.
So it is good that 1.13 is fixing this.
And unless the fix is default, most users will not get the benefit.
wilk
> ------=_Part_967_922323128.1559316498912
> Content-Type: multipart/alternative;
> boundary="----=_Part_968_1050003518.1559316498912"
>
> ------=_Part_968_1050003518.1559316498912
> Content-Type: text/plain; charset="UTF-8"
> Content-Transfer-Encoding: quoted-printable
> See https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
>
> The current behavior is not ideal from a security point of view.
> So it is good that 1.13 is fixing this.
> And unless the fix is default, most users will not get the benefit.
Is there a way to test proxy.golang.org with go1.12 if we have private
dependencies ?
--
William Dodé
Jim Ancona
Our privacy policy explains how we collect and use your information. The privacy policy for all of these services is proxy.golang.org/privacy.
Katie Hockman
Amnon Baron Cohen
You need the list feature of GOPROXY, which is only available in 1.13 (or tip).