From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id KMrtAWVzKmHuVwAAgWs5BA (envelope-from ) for ; Sat, 28 Aug 2021 19:33:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 6M0pOWRzKmHfUQAAbx9fmQ (envelope-from ) for ; Sat, 28 Aug 2021 17:33:24 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A67BB1B1F9 for ; Sat, 28 Aug 2021 19:33:24 +0200 (CEST) Received: from localhost ([::1]:54388 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mK2Cp-0001dy-DF for larch@yhetil.org; Sat, 28 Aug 2021 13:33:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55190) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mK2Cg-0001do-HL for guix-devel@gnu.org; Sat, 28 Aug 2021 13:33:14 -0400 Received: from mx1.riseup.net ([198.252.153.129]:51802) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mK2Cd-00046K-Qp for guix-devel@gnu.org; Sat, 28 Aug 2021 13:33:14 -0400 Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4GxkFK51RbzF3bQ; Sat, 28 Aug 2021 10:33:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1630171989; bh=CuAwSDUa57FFtpFq3/vUVYcUHXbHqZnSTBTXhJJCjFc=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=c5YX6pFvw5pIJs3L7DsthjPPpFJr95nGabFyc0j/FXdsf7ood7UkO/fdkvKanQIrP HXPi6sOz/G2nXzaiz/ZXTnLEozOq9VRbAr/USQ+EEugFJeci/tQ7U/DStqWDBuIF4C LMG5GAQEqJjygzbQRx57QnCvbX2ciHCB6+X7pUvA= X-Riseup-User-ID: 23833C13E189EA4DF91269AADB9219BD1F8F3ACA7C5B2B80AB6EBB0F071C50F8 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4GxkFJ5hlmz1y5K; Sat, 28 Aug 2021 10:33:08 -0700 (PDT) Date: Sat, 28 Aug 2021 15:38:47 +0200 From: raingloom To: Katherine Cox-Buday Subject: Re: goproxy notes Message-ID: <20210828153847.1fa898f1@amethyst> In-Reply-To: <87y28nueap.fsf@gmail.com> References: <20210823214857.0ddc5ba4@riseup.net> <87y28nueap.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "guix-devel@gnu.org" Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630172004; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=5JXe9WatkAXADKY2gSJoqVSd3Gzm061YxofltrcUpNo=; b=VaaMC9+KN5N3/4ytj4tkPDXeWmpVMMX+NwJPXsKuDDGZbuGg4Rp2ohEXvibzP1ocsxouqo fvPH5XFwwohHAIkNgenLPhc4GDmRaI79MaWbMvQaHLZuZ3XudDFBX2yDBuaTGTFAw8bnOb bfHXgfhdUCLTH+eT0WPCYQZFYiDpLR91fdJ/DieG+mTG0+ih7FPFgyEacNNw9mJ4mAsnKY 08UkFf/VQ48l5ezYXewQPXD729NK0uVq98ueU2eZIr4r7/D78QZ4X9kDfP1nt3iq4G0dhr sI/QivbsDHY7q+Q2Mzsev+/hEBmm9+QWfHPHFuCY8G1bWLtgooSLra/an2rq2g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630172004; a=rsa-sha256; cv=none; b=YqpizNWIUYovCPoA1NjEj3ms3G36+SFW6FtLN6q+CHIQuldh8CcCyuBPhgVJImkBXyNgML 0afqEdU7LFGWnlAI65OeNY/HdX9xAB0z1HZ2g5ni5C6q250Hz6pXHqZvh9Uj1N7shcbtrX uzk8HQH9TCW3B3XH6L5KR6EWh4uRzfTH4hTvKsvAfl3UNgG1SXPkRMnzB2+6DufZk5GYct MrTsgCq4WCJBalWOUkcF5wJ218pdFaom63s8ZhcC1JVqRzLfcWo2h9kQ77/IOu5BSPfho9 c/jIdlxCO8BKp9ss1wA/I+mAtXIqBSW3toN7HPrZbr0SHl/c4hEvO19YEM7+AA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=c5YX6pFv; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.63 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=c5YX6pFv; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: A67BB1B1F9 X-Spam-Score: -2.63 X-Migadu-Scanner: scn0.migadu.com X-TUID: KZDuHiv6D5AD On Fri, 27 Aug 2021 09:56:30 -0500 Katherine Cox-Buday wrote: > raingloom writes: > > > do we depend on this? if yes, it might be a good idea to disable the > > proxy in the importer. > > sorry, i don't have time to look into it myself right now, so i'm > > dumping it here. > > > > https://drewdevault.com/2021/08/06/goproxy-breaks-go.html > > Thanks a lot for bringing this up. > > The Go importer has a flag for specifying the proxy server to check > (Google's is used by default), but this is only used to fetch > preliminary information about a module, i.e. =go.mod=, the repo's URL, > and what the proxy thinks is the latest version. The VCS type, VCS > URL, and actual source code are fetched from the module's defined > source (i.e. github, etc.). > > It would have been much easier on everyone involved with writing the > Go importer to just fetch the package from the proxy, but we had the > foresight to realize it would cause this exact issue: centralization > on a single service owned by a single company. Since we did not do > that, a brief scan of our Go packages suggests that all of them are > fetching source from their respective repositories, and not a proxy > server. > > As I understand it, Guix builds cannot reach out to the network, so > there is no risk of leaking metadata to Google via invocation of Go > commands. Further, our current Go build system does not even use > modules (this needs to change). > > I think this addresses all the points in this blog post. Overall, I > think Guix is very well positioned because of how we generate Go > packages, how our build system works, and how Guix emphasises > reproducibility. > Guix wins again. UwU Thanks for looking into it!