Hi everyone.
TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB and follow upstream defaults, or keep it?
Recently, I had a short conversation in a public forum about two Go features that we modified in Fedora. GOPROXY and GOSUMDB. As I prepare the Fedora 40 and Go 1.22 proposal, it is a great time to discuss it.
You can see the conversation here, I think they bring really good points that we should consider:
https://mas.to/@zekjur/111359951465906642
So first, what are these variables?
-
GOPROXY sets the server for fetching module-related information and dependencies. -
GOSUMDB sets the checksum database URL to verify module downloads and ensure their integrity during module resolution.
You can read them more in detail here:
-
https://go.dev/ref/mod#environment-variables -
https://go.dev/ref/mod#authenticating -
https://go.dev/ref/mod#module-proxy
There are four approaches as I see this:
1.
Keep it the way it is right now. 2.
Remove the patch and follow upstream. 3.
Create a way to ensure the users know that that option can be changed and leave one of the two previous options as default (by creating two packages, one with the default setting and another that applies the patch). 4.
Have a GOPROXY service by Fedora.
1 and 2 are the easiest and most logical ones. 3rd is complex, and I'm not sure it brings any value. 4th would be ideal, but that means maintaining a service with all its costs and time.
On Tue Dec 19, 2023 at 17:33 +0100, Alejandro Saez Morollon wrote:
TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB and follow upstream defaults, or keep it?
I support keeping the Google Go module proxy disabled by default. Our packages should not send telemetry data to Google without explicit opt-in. We can highlight in the documentation how to re-eanble GOPROXY and GOSUMDB if necessary.
I support keeping the Google Go module proxy disabled by default. Our packages should not send telemetry data to Google without explicit opt-in.
What's the reason for treating Go differently than other languages? Fedora does not patch out calls to sites like npmjs.com, pypi.org, rubygems.org or repo.maven.apache.org, doesn't it?
Am 11.07.24 um 1:16 PM schrieb Chris Suszynski:
I support keeping the Google Go module proxy disabled by default. Our packages should not send telemetry data to Google without explicit opt-in.
What's the reason for treating Go differently than other languages? Fedora does not patch out calls to sites like npmjs.com, pypi.org, rubygems.org or repo.maven.apache.org, doesn't it?
Fedora has a policy of "no phone home without explicit user consent".
Ralf
Personally I agree with maxwells stance fedora is a privacy friendly distro.
On Fri, 12 Jul 2024 at 12:03, Ralf Corsépius rc040203@freenet.de wrote:
Am 11.07.24 um 1:16 PM schrieb Chris Suszynski:
I support keeping the Google Go module proxy disabled by default. Our
packages should not send telemetry data to Google without explicit opt-in.
What's the reason for treating Go differently than other languages?
Fedora does not patch out calls to sites like npmjs.com, pypi.org, rubygems.org or repo.maven.apache.org, doesn't it? Fedora has a policy of "no phone home without explicit user consent".
Ralf
devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
* Chris Suszynski [11/07/2024 11:16] :
What's the reason for treating Go differently than other languages? Fedora does not patch out calls to sites like npmjs.com, pypi.org, rubygems.org or repo.maven.apache.org, doesn't it?
Actually, we do.
https://src.fedoraproject.org/rpms/perl-Dancer2/c/990a6540412546f8ea8cc35ad7...
Emmanuel
At a minimum, I recommend that the patch include the original values for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it easier to change back to default values. At the moment, one has to visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated content on the developer portal (and elsewhere?) with information on why changing these values would be useful. I agree that the comments in the thread are persuasive (for me).
best regards
Brad
On Tue, Dec 19, 2023 at 8:34 AM Alejandro Saez Morollon asm@redhat.com wrote:
Hi everyone.
TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB and follow upstream defaults, or keep it?
Recently, I had a short conversation in a public forum about two Go features that we modified in Fedora. GOPROXY and GOSUMDB. As I prepare the Fedora 40 and Go 1.22 proposal, it is a great time to discuss it.
You can see the conversation here, I think they bring really good points that we should consider:
https://mas.to/@zekjur/111359951465906642
So first, what are these variables?
GOPROXY sets the server for fetching module-related information and dependencies.
GOSUMDB sets the checksum database URL to verify module downloads and ensure their integrity during module resolution.
You can read them more in detail here:
https://go.dev/ref/mod#environment-variables
https://go.dev/ref/mod#authenticating
https://go.dev/ref/mod#module-proxy
There are four approaches as I see this:
Keep it the way it is right now.
Remove the patch and follow upstream.
Create a way to ensure the users know that that option can be changed and leave one of the two previous options as default (by creating two packages, one with the default setting and another that applies the patch).
Have a GOPROXY service by Fedora.
1 and 2 are the easiest and most logical ones. 3rd is complex, and I'm not sure it brings any value. 4th would be ideal, but that means maintaining a service with all its costs and time.
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Tue, Dec 19, 2023 at 4:14 PM Brad Smith bradley.g.smith@gmail.com wrote:
At a minimum, I recommend that the patch include the original values for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it easier to change back to default values. At the moment, one has to visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated content on the developer portal (and elsewhere?) with information on why changing these values would be useful. I agree that the comments in the thread are persuasive (for me).
I agree with this. I'd rather keep the patch than revert to upstream defaults.
I would personally go with the 2 and get closer to the upstream. I agree with the npm analogy that was made in the conversation. Furthermore, I don't think that most users, working on Go projects on Fedora, would even know that we provide different Go envars to the upstream ones. IMO, they would change them to upstream values for the benefit of cloning speed, if they knew about them.
Solution 3 and 4 are far too complex for the given value they provide.
If you decide to keep the envars as they are now, I would also agree with having the original values commented.
On Tue, Dec 19, 2023 at 11:11 PM Neal Gompa ngompa13@gmail.com wrote:
On Tue, Dec 19, 2023 at 4:14 PM Brad Smith bradley.g.smith@gmail.com wrote:
At a minimum, I recommend that the patch include the original values for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it easier to change back to default values. At the moment, one has to visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated content on the developer portal (and elsewhere?) with information on why changing these values would be useful. I agree that the comments in the thread are persuasive (for me).
I agree with this. I'd rather keep the patch than revert to upstream defaults.
-- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Wed Dec 20, 2023 at 12:14 +0100, Ondrej Pohorelsky wrote:
On Tue, Dec 19, 2023 at 11:11 PM Neal Gompa ngompa13@gmail.com wrote:
On Tue, Dec 19, 2023 at 4:14 PM Brad Smith bradley.g.smith@gmail.com wrote:
At a minimum, I recommend that the patch include the original values for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it easier to change back to default values. At the moment, one has to visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated content on the developer portal (and elsewhere?) with information on why changing these values would be useful. I agree that the comments in the thread are persuasive (for me).
I agree with this. I'd rather keep the patch than revert to upstream defaults.
<snip>
If you decide to keep the envars as they are now, I would also agree with having the original values commented.
Can someone clarify what they mean by this? The patch itself [1] makes it pretty clear what the original values are. I think the main thing is improving the user-facing documentation about why we do this and how to restore the original behavior. The Fedora Developer Portal (which really needs to be promoted more; it's a great resource!) documents [2] that we change GOPROXY and GOTOOLCHAIN, but it doesn't mention GOSUMDB, and it's lacking clear instructions about how to change the values back to defaults.
[1]: https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/0001-Modify-go.env.... [2]: https://developer.fedoraproject.org/tech/languages/go/go-installation.html#f...
Greetings -
On Wed, Dec 20, 2023 at 7:35 AM Maxwell G maxwell@gtmx.me wrote:
Can someone clarify what they mean by this? The patch itself [1] makes it pretty clear what the original values are.
When I look at /usr/lib/golang/go.env I see:
---- [bgsmith@pico newversionprep (main *%)]$ more /usr/lib/golang/go.env # This file contains the initial defaults for go command configuration. # Values set by 'go env -w' and written to the user's go/env file override these. # The environment overrides everything else.
# Use the Go module mirror and checksum database by default. # See https://proxy.golang.org for details. GOPROXY=proxy.golang.org,direct GOSUMDB=sum.golang.org
# Automatically download newer toolchains as directed by go.mod files. # See https://go.dev/doc/toolchain for details. GOTOOLCHAIN=auto ------
The go.env file does not, as far as I can tell, contain the original values from upstream. Just the modified values. Unless I modified the file and cannot recall doing so! My suggestion was to include the original upstream settings as comments.
improving the user-facing documentation about why we do this and how to restore the original behavior. The Fedora Developer Portal (which really needs to be promoted more; it's a great resource!) documents [2] that we change GOPROXY and GOTOOLCHAIN, but it doesn't mention GOSUMDB, and it's lacking clear instructions about how to change the values back to defaults.
The updates to this developer portal page with gosumdb were made last month but there has been a delay in publishing to production. Should show up any day.
best regards
On Wed Dec 20, 2023 at 07:57 -0800, Brad Smith wrote:
The go.env file does not, as far as I can tell, contain the original values from upstream. Just the modified values. Unless I modified the file and cannot recall doing so! My suggestion was to include the original upstream settings as comments.
Ah, now I see what you mean. Yes, we should definitely update those comments.