From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EFLMAy/9KGGwygAAgWs5BA (envelope-from ) for ; Fri, 27 Aug 2021 16:56:47 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id +D7oOi79KGEFHAAA1q6Kng (envelope-from ) for ; Fri, 27 Aug 2021 14:56:46 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B0FE07634 for ; Fri, 27 Aug 2021 16:56:46 +0200 (CEST) Received: from localhost ([::1]:44496 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mJdHh-0007zF-ND for larch@yhetil.org; Fri, 27 Aug 2021 10:56:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50408) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mJdHX-0007z5-Vb for guix-devel@gnu.org; Fri, 27 Aug 2021 10:56:36 -0400 Received: from mail-io1-xd36.google.com ([2607:f8b0:4864:20::d36]:45729) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mJdHV-0004LC-RL for guix-devel@gnu.org; Fri, 27 Aug 2021 10:56:35 -0400 Received: by mail-io1-xd36.google.com with SMTP id e186so8806267iof.12 for ; Fri, 27 Aug 2021 07:56:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=AjYfwljOmf/cYR+Yd3iXB82VjRrOiZs5tgujroOTztM=; b=XbfE1b/mbWtjYNUbwB4+sQYP/6DZnBcM7e3cMbw6mnpG7g9zKiA4dK0IMfp9O1vaNZ oSLJxIpbyNZgPgw/vJFcOt/k70nwXqHoOqaabWYOShs3PK9mmYvQxWa4x7N7O2+AkvMV JPJ3y+dGQvceGXFbOGLOpajcuPC+TUdOoionGKTRqdX6jdrUtwD5zHmCW3wK8sRWVegx jNbpcWgBC5LBdUouYwTgjLdFwAAaIOvutts/aVY5MTeF/dyAoMWZ0yN26SkjUYKEXTGb f3zgT9nhMVJ10YaYEmce1hbG67v2Ph41L9zpxbTSt0J4Uabf20U08eQcZwbB6HQe8+Sk bxAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=AjYfwljOmf/cYR+Yd3iXB82VjRrOiZs5tgujroOTztM=; b=THnGnD1B4tA9/f76CJPHtOGfopEWboKLWuKcu9qE5FBX4wSm2bBgLGOsNd1gYNdkbF pYYQ4TL2SM2kBuPJYCRCWd3DwmTes0CNLE3DA95b637kfAuHl2M7ZbJygfKHlh0xhIfu JTOMpiWcN314jcC3V7a5MFXZxF+Ujox1Q0GcYgsV7DEhMwYlsCNwVpEiGLnHUlWLk9YV aO1nzc3mSrb0mbB+RyjddsNV8MiUUCR/EGCRYwkvCZJ7ruEYTf743lrqNfONGh1s5dPm zRm7I4/8LPGbc154kCGiuddSAHzBd7fOZD1Wq9woYeZimHbIFkaOo87M/hvU1fXvssll Ol3w== X-Gm-Message-State: AOAM531F+9Vx9UWe2dlq24NY/eyPtPCOeqmJVPTOuGG0zLfYi4b75dgn R6uN6s2WxTHyrVlyfAOF3ooHkkC5Nvg= X-Google-Smtp-Source: ABdhPJxG4WC+Z0Yx9iJsdZf9Siy2iM/LJr6Y5InSYjs2t7uMUKx6OIlkTBMuSMoWUlPIDYbqba8V7Q== X-Received: by 2002:a5d:9707:: with SMTP id h7mr8170184iol.28.1630076192111; Fri, 27 Aug 2021 07:56:32 -0700 (PDT) Received: from washu-v4 (172-221-246-205.res.spectrum.com. [172.221.246.205]) by smtp.gmail.com with ESMTPSA id z15sm3364980ioh.28.2021.08.27.07.56.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Aug 2021 07:56:31 -0700 (PDT) From: Katherine Cox-Buday To: raingloom Subject: Re: goproxy notes References: <20210823214857.0ddc5ba4@riseup.net> Date: Fri, 27 Aug 2021 09:56:30 -0500 In-Reply-To: <20210823214857.0ddc5ba4@riseup.net> (raingloom@riseup.net's message of "Mon, 23 Aug 2021 21:48:57 +0200") Message-ID: <87y28nueap.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2607:f8b0:4864:20::d36; envelope-from=cox.katherine.e@gmail.com; helo=mail-io1-xd36.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "guix-devel@gnu.org" Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1630076206; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=AjYfwljOmf/cYR+Yd3iXB82VjRrOiZs5tgujroOTztM=; b=LDb2w+LmyPScaMitUpQlt5RWhMIPRBc9nqhlaVv5TchtiS1QtrVNrAyOL3W2J27x6btV0m OhZcJX548fsQ4q9ZfB0jkiwsUPNzAIaKgiwEqL9+Ycewxqn6C/nvVkNC8wjS/Q8woGb5LR bQ5s8Ks42k7Ei3h5iO8aW+WBCYENXx0GBQhOaURhiO4jHKmkccFVxmUo42CdMyjNQKgo4D +zZRXL4TPZJzMT5vSCWWMkXWddxvE1cubLAQyvDZmJTshGFGJ4pysy+ttbdxH4N0FNfipg yCX3tehJnQdRkYEW/37sYQ0aJUUOduB8tqmgRcVYl9D2rMcKu5SNJF8BAePyGQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1630076206; a=rsa-sha256; cv=none; b=D3Q1AOdiG7zG95vaF2HMCnnn++TG98Pfzl8Y+Gh9R9mi9lFnUtdVy9SnvXWpcRrC442eZw obU3/+h8/OGR+Aia3ZW44BTpxp9AFevT5wTngaDMGY5EWhtUs9dol9k++9SStZgrhFd+G7 82JwA0/Wp9Fx9aSS4OFd4Pp4G8otMX7uMFzzTkxvRWmxzMsIQoQkJ1gIgAW4D1BuReDRxo Z/DFFtsLlO/ILIg1mZ1W1iVutvbDzYzc0gie2vJufS2kVjAJ9ctJy/6nRm4/4O2B8X3SK/ QT2DZiLF5FW65wxaRWXyzVtGKWtrkWkJ2bbDr7TikutNr7EJg69YrPOxkYanUg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b="XbfE1b/m"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.13 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b="XbfE1b/m"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B0FE07634 X-Spam-Score: -3.13 X-Migadu-Scanner: scn0.migadu.com X-TUID: 7wZtRFHKGl7o raingloom writes: > do we depend on this? if yes, it might be a good idea to disable the > proxy in the importer. > sorry, i don't have time to look into it myself right now, so i'm > dumping it here. > > https://drewdevault.com/2021/08/06/goproxy-breaks-go.html Thanks a lot for bringing this up. The Go importer has a flag for specifying the proxy server to check (Google's is used by default), but this is only used to fetch preliminary information about a module, i.e. =go.mod=, the repo's URL, and what the proxy thinks is the latest version. The VCS type, VCS URL, and actual source code are fetched from the module's defined source (i.e. github, etc.). It would have been much easier on everyone involved with writing the Go importer to just fetch the package from the proxy, but we had the foresight to realize it would cause this exact issue: centralization on a single service owned by a single company. Since we did not do that, a brief scan of our Go packages suggests that all of them are fetching source from their respective repositories, and not a proxy server. As I understand it, Guix builds cannot reach out to the network, so there is no risk of leaking metadata to Google via invocation of Go commands. Further, our current Go build system does not even use modules (this needs to change). I think this addresses all the points in this blog post. Overall, I think Guix is very well positioned because of how we generate Go packages, how our build system works, and how Guix emphasises reproducibility. -- Katherine