What is the relationship between go community and goproxy.io
141 views
Skip to first unread message
ljh
Oct 9, 2022, 11:50:49 AM10/9/22
to golang-nuts
Hi, community,
I Just saw this site: yunzhanghu.com , is listed as Special Sponsor on goproxy.io homepage.
I'm just curious, is goproxy.io endorsed by The Go Team and is goproxy.io trustworthy?
$ whois goproxy.io
Registrant Name: REDACTED FOR PRIVACY
ljh
Oct 9, 2022, 11:50:49 AM10/9/22
to golang-nuts
Just found another, are these two sites related: goproxy.io , goproxy.cn .
Ian Lance Taylor
Oct 9, 2022, 12:01:09 PM10/9/22
to ljh, golang-nuts
goproxy.io is not run by, or endorsed by, the core Go team.
That said, it's been around for a while, and I've never heard anything bad about it. But I've never used it myself.
Ian
ljh
Oct 9, 2022, 1:59:38 PM10/9/22
to Ian Lance Taylor, golang-nuts
Thanks Ian,
There is no official proxy / mirror sites by core team, right?
Ian Lance Taylor
Oct 9, 2022, 4:02:53 PM10/9/22
to ljh, golang-nuts
On Sun, Oct 9, 2022 at 10:59 AM ljh <lj...@qq.com> wrote:
>
> There is no official proxy / mirror sites by core team, right?
The Go team runs proxy.golang.org. See
>
> There is no official proxy / mirror sites by core team, right?
https://go.dev/blog/module-mirror-launch . The "go" command uses that
proxy by default, though you can change that; see
https://pkg.go.dev/cmd/go#hdr-Modules__module_versions__and_more .
Ian
tapi...@gmail.com
Oct 10, 2022, 12:39:29 AM10/10/22
to golang-nuts
On Sunday, October 9, 2022 at 11:50:49 PM UTC+8 ljh wrote:
Hi, community,I Just saw this site: yunzhanghu.com , is listed as Special Sponsor on goproxy.io homepage.I'm just curious, is goproxy.io endorsed by The Go Team and is goproxy.io trustworthy?
By the go module cache system design, if you trust the server set in your GOSUMDB env var,
which is defaulted to sum.golang.org, then it is not a matter whatever proxy server your are using.
Brian Candler
Oct 10, 2022, 3:11:06 AM10/10/22
to golang-nuts
> By the go module cache system design, if you trust the server set in your GOSUMDB env var,
> which is defaulted to sum.golang.org, then it is not a matter whatever proxy server your are using.
From the point of view of downloaded package integrity, yes.
But there are other things an untrustworthy proxy might do - such as tracking what packages and versions you use, identifying which clients are using packages with known security vulnerabilities, selling that data on to third parties etc.
tapi...@gmail.com
Oct 10, 2022, 9:49:06 PM10/10/22
to golang-nuts
This is true for any website we visit daily. :D
Reply all
Reply to author
Forward
0 new messages