10:33 a.m.
Hi everyone.
TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB and
follow upstream defaults, or keep it?
Recently, I had a short conversation in a public forum about two Go
features that we modified in Fedora. GOPROXY and GOSUMDB. As I prepare the
Fedora 40 and Go 1.22 proposal, it is a great time to discuss it.
You can see the conversation here, I think they bring really good points
that we should consider:
https://mas.to/@zekjur/111359951465906642
So first, what are these variables?
-
GOPROXY sets the server for fetching module-related information and
dependencies.
-
GOSUMDB sets the checksum database URL to verify module downloads and
ensure their integrity during module resolution.
You can read them more in detail here:
-
https://go.dev/ref/mod#environment-variables
-
https://go.dev/ref/mod#authenticating
-
https://go.dev/ref/mod#module-proxy
There are four approaches as I see this:
1.
Keep it the way it is right now.
2.
Remove the patch and follow upstream.
3.
Create a way to ensure the users know that that option can be changed
and leave one of the two previous options as default (by creating two
packages, one with the default setting and another that applies the patch).
4.
Have a GOPROXY service by Fedora.
1 and 2 are the easiest and most logical ones. 3rd is complex, and I'm not
sure it brings any value. 4th would be ideal, but that means maintaining a
service with all its costs and time.
10:58 a.m.
New subject: *****SPAM***** Enabling GOPROXY and GOSUMDB in Fedora
On Tue Dec 19, 2023 at 17:33 +0100, Alejandro Saez Morollon wrote:
TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB
and
follow upstream defaults, or keep it?
I support keeping the Google Go module proxy disabled by default. Our
packages should not send telemetry data to Google without explicit
opt-in. We can highlight in the documentation how to re-eanble GOPROXY
and GOSUMDB if necessary.
--
Maxwell G (@gotmax23)
Pronouns: He/They
3:13 p.m.
At a minimum, I recommend that the patch include the original values
for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it
easier to change back to default values. At the moment, one has to
visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated
content on the developer portal (and elsewhere?) with information on
why changing these values would be useful. I agree that the comments
in the thread are persuasive (for me).
best regards
Brad
On Tue, Dec 19, 2023 at 8:34 AM Alejandro Saez Morollon <asm(a)redhat.com> wrote:
>
> Hi everyone.
>
>
> TL;DR: Remove a patch we ship in Go that disables GOPROXY and GOSUMDB and follow
upstream defaults, or keep it?
>
>
> Recently, I had a short conversation in a public forum about two Go features that we
modified in Fedora. GOPROXY and GOSUMDB. As I prepare the Fedora 40 and Go 1.22 proposal,
it is a great time to discuss it.
>
>
> You can see the conversation here, I think they bring really good points that we
should consider:
>
> https://mas.to/@zekjur/111359951465906642
>
>
> So first, what are these variables?
>
> GOPROXY sets the server for fetching module-related information and dependencies.
>
> GOSUMDB sets the checksum database URL to verify module downloads and ensure their
integrity during module resolution.
>
>
> You can read them more in detail here:
>
> https://go.dev/ref/mod#environment-variables
>
> https://go.dev/ref/mod#authenticating
>
> https://go.dev/ref/mod#module-proxy
>
>
> There are four approaches as I see this:
>
> Keep it the way it is right now.
>
> Remove the patch and follow upstream.
>
> Create a way to ensure the users know that that option can be changed and leave one
of the two previous options as default (by creating two packages, one with the default
setting and another that applies the patch).
>
> Have a GOPROXY service by Fedora.
>
>
> 1 and 2 are the easiest and most logical ones. 3rd is complex, and I'm not sure
it brings any value. 4th would be ideal, but that means maintaining a service with all its
costs and time.
>
>
> --
> _______________________________________________
> devel mailing list -- devel(a)lists.fedoraproject.org
> To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
4:09 p.m.
On Tue, Dec 19, 2023 at 4:14 PM Brad Smith <bradley.g.smith(a)gmail.com> wrote:
At a minimum, I recommend that the patch include the original values
for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it
easier to change back to default values. At the moment, one has to
visit the relevant web pages.
I lean towards providing upstream defaults in this case with updated
content on the developer portal (and elsewhere?) with information on
why changing these values would be useful. I agree that the comments
in the thread are persuasive (for me).
I agree with this. I'd rather keep the patch than revert to upstream defaults.
--
真実はいつも一つ!/ Always, there's only one truth!
5:14 a.m.
I would personally go with the 2 and get closer to the upstream. I agree
with the npm analogy that was made in the conversation.
Furthermore, I don't think that most users, working on Go projects on
Fedora, would even know that we provide different Go envars
to the upstream ones. IMO, they would change them to upstream values for
the benefit of cloning speed, if they knew about them.
Solution 3 and 4 are far too complex for the given value they provide.
If you decide to keep the envars as they are now, I would also agree with
having the original values commented.
On Tue, Dec 19, 2023 at 11:11 PM Neal Gompa <ngompa13(a)gmail.com> wrote:
On Tue, Dec 19, 2023 at 4:14 PM Brad Smith
<bradley.g.smith(a)gmail.com>
wrote:
>
> At a minimum, I recommend that the patch include the original values
> for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it
> easier to change back to default values. At the moment, one has to
> visit the relevant web pages.
>
> I lean towards providing upstream defaults in this case with updated
> content on the developer portal (and elsewhere?) with information on
> why changing these values would be useful. I agree that the comments
> in the thread are persuasive (for me).
>
I agree with this. I'd rather keep the patch than revert to upstream
defaults.
--
真実はいつも一つ!/ Always, there's only one truth!
--
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Ondřej Pohořelský
Software Engineer
Red Hat <https://www.redhat.com>
opohorel(a)redhat.com
<https://www.redhat.com>
9:34 a.m.
On Wed Dec 20, 2023 at 12:14 +0100, Ondrej Pohorelsky wrote:
On Tue, Dec 19, 2023 at 11:11 PM Neal Gompa
<ngompa13(a)gmail.com> wrote:
> On Tue, Dec 19, 2023 at 4:14 PM Brad Smith <bradley.g.smith(a)gmail.com>
> wrote:
> >
> > At a minimum, I recommend that the patch include the original values
> > for GOPROXY, GOSUMDB, and GOTOOLCHAIN as comments. This makes it
> > easier to change back to default values. At the moment, one has to
> > visit the relevant web pages.
> >
> > I lean towards providing upstream defaults in this case with updated
> > content on the developer portal (and elsewhere?) with information on
> > why changing these values would be useful. I agree that the comments
> > in the thread are persuasive (for me).
> >
>
> I agree with this. I'd rather keep the patch than revert to upstream
> defaults.
<snip>
If you decide to keep the envars as they are now, I would also agree
with
having the original values commented.
Can someone clarify what they mean by this? The patch itself [1] makes
it pretty clear what the original values are. I think the main thing is
improving the user-facing documentation about why we do this and how to
restore the original behavior. The Fedora Developer Portal (which really
needs to be promoted more; it's a great resource!) documents [2] that we
change GOPROXY and GOTOOLCHAIN, but it doesn't mention GOSUMDB, and it's
lacking clear instructions about how to change the values back to
defaults.
[1]: https://src.fedoraproject.org/rpms/golang/blob/rawhide/f/0001-Modify-go.e...
[2]:
https://developer.fedoraproject.org/tech/languages/go/go-installation.htm...
--
Maxwell G (@gotmax23)
Pronouns: He/They
9:57 a.m.
Greetings -
On Wed, Dec 20, 2023 at 7:35 AM Maxwell G <maxwell(a)gtmx.me> wrote:
Can someone clarify what they mean by this? The patch itself [1]
makes
it pretty clear what the original values are.
When I look at /usr/lib/golang/go.env I see:
----
[bgsmith@pico newversionprep (main *%)]$ more /usr/lib/golang/go.env
# This file contains the initial defaults for go command configuration.
# Values set by 'go env -w' and written to the user's go/env file
override these.
# The environment overrides everything else.
# Use the Go module mirror and checksum database by default.
# See https://proxy.golang.org for details.
GOPROXY=proxy.golang.org,direct
GOSUMDB=sum.golang.org
# Automatically download newer toolchains as directed by go.mod files.
# See https://go.dev/doc/toolchain for details.
GOTOOLCHAIN=auto
------
The go.env file does not, as far as I can tell, contain the original
values from upstream. Just the modified values. Unless I modified the
file and cannot recall doing so! My suggestion was to include the
original upstream settings as comments.
improving the user-facing documentation about why we do this and how
to
restore the original behavior. The Fedora Developer Portal (which really
needs to be promoted more; it's a great resource!) documents [2] that we
change GOPROXY and GOTOOLCHAIN, but it doesn't mention GOSUMDB, and it's
lacking clear instructions about how to change the values back to
defaults.
The updates to this developer portal page with gosumdb were made last
month but there has been a delay in publishing to production. Should
show up any day.
best regards
1:53 p.m.
On Wed Dec 20, 2023 at 07:57 -0800, Brad Smith wrote:
The go.env file does not, as far as I can tell, contain the original
values from upstream. Just the modified values. Unless I modified the
file and cannot recall doing so! My suggestion was to include the
original upstream settings as comments.
Ah, now I see what you mean. Yes, we should definitely update those comments.
--
Maxwell G (@gotmax23)
Pronouns: He/They
147
days inactive
148
days old
7 comments
5 participants
participants (5)
-
Alejandro Saez Morollon -
Brad Smith -
Maxwell G -
Neal Gompa -
Ondrej Pohorelsky