----- Original Message -----
From: "Katie Hockman" <katie(a)golang.org>
Sent: Monday, April 29, 2019 10:35:38 PM
Subject: [golang-dev] Try our new module mirror!
In the blog post Go Modules in 2019 <https://blog.golang.org/modules2019>
we announced our intent to provide a module mirror for accelerating Go
module downloads, an index for discovering new modules, and a checksum
database for authenticating module content.
We are excited to share that we are ready for developers to start alpha
testing our module mirror, index, and checksum database!
if I'm not mistaken the page that you are linking for privacy information of the
proxy seems not related to it at all. It looks like some sort of generic terms that Google
is using for all of its services. It is not describing what is collected and what for, how
and where it is retained and stored, etc. in context of the proxy/this new google
Could you expand on these topics in actual go proxy context, please? What are you
collecting/are you planning on collecting and what for?
The module mirror at proxy.golang.org
serves the go command’s proxy
protocol. To make the go command use it (when in module mode), set GOPROXY=
The module index at index.golang.org
serves a feed of module versions in
the order they are discovered. For example, see
The module checksum database at sum.golang.org
serves the URLs described in
the Secure the Public Go Module Ecosystem
With brief look on the proposal, just from the technical perspective(kind of including
modules too). Little has changed from my perspective since the initial proposal. I'm
still worried that I will have to disabled/de-configured or at worst case scenario even
patch it (out) to make our build system in Fedora work with Go sources that we are
curating/shipping/using(i.e. occasional need to carry downstream/backport patches).
Leaving out for now the privacy/MITM concerns which look nearly the same(i.e. IMHO not
resolved) as previously.
proposal. If you use the Go 1.13 development version of the go
will automatically use the
checksum database as well. To use the checksum database to protect other
code downloads, set GOSUMDB=sum.golang.org
explicitly. See the development
version go command docs
details. If you are using Go 1.12 or earlier, you can manually check a
go.sum file against the checksum database with gosumcheck
go get golang.org/x/exp/sumdb/gosumcheck
We hope you’ll try out these new services! Note that these are in the early
stages, so even though we don’t have any planned outages, you should
recognize it is an alpha release and instability and bugs are expected.
We’ll be actively working through these and improving our services, so
please file issues <https://github.com/golang/go/issues/new>
if you spot
them, with the title prefix “proxy.golang.org:” (or index.golang.org
). We look forward to hearing about how it’s working for you!
Is there anywhere a place where I or anyone else could pull the sources and contribute
to all of these new Go features/services that you are deploying/running, or so I/anyone
could potentially even run my own instances of proxy.golang.org
and help with devel?
Thanks for any info. Sorry if I have missed some details.
> You received this message because you are subscribed to the Google Groups
> "golang-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-dev+unsubscribe(a)googlegroups.com.
> For more options, visit https://groups.google.com/d/optout