Open Esra-Al opened 1 month ago
gabyhelp
commented
1 month ago Related Issues and Documentation
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
ianlancetaylor
commented
1 month ago CC @matloob
seankhliao
commented
1 month ago isn't this just GOPROXY=direct go get my.module ?
FiloSottile
commented
1 month ago I'm pretty excited about this, so far we don't have a good story for how the author-to-sumdb link is secured, but it's a very small gap to fill thanks to the sumdb design. It also gives a canonically good answer to "how do I review a dependency knowing it's what will be used by my application" that doesn't involve vendoring or digging into the modcache.
isn't this just
GOPROXY=direct go get my.module?
Almost! That downloads the module from e.g. GitHub where it might have been tampered with. This checks the local copy as it was developed / is being reviewed. It's kind of like a hypothetical GOPROXY=local with nicer UI.
gopherbot
commented
1 month ago Change https://go.dev/cl/596097 mentions this issue: cmd: add go mod verify -tag
Russ741
commented
1 month ago Do we want go mod verify -tag to also verify the cache like go mod verify, or to skip that part?
matloob
commented
1 month ago cc @ianthehat Do you have a perspective on this?
ianthehat
commented
3 weeks ago I think that the functionality is a really good idea, and we should have it.
The ability to verify that the code you intended to make up a release flows through your code hosting site, into the module proxy and back down to you without modification is an important property to be able to check, and doing so is currently far too hard.
I am not totally convinced that go mod verify -tag=??? is the right interface to it, but am also happy to defer that decision to others. If it is then the help message needs more substantial rewriting than that cl (it starts with Verify checks that the dependencies of the current module, which are stored in a local downloaded source cache, have not been modified since being downloaded, and now we are making it do far more than that)
We should also think if there are any other mod properties that we might want to verify in the future, and make sure the design allows for them if so.
rsc
commented
1 week ago This proposal has been added to the active column of the proposals project and will now be reviewed at the weekly proposal review meetings. — rsc for the proposal review group
Proposal Details
Go lacks a CLI to verify local repositories against the Go checksum database. Adding a flag in go mod verify to check local git tags against the sumdb would help module authors ensure their contents haven't been tampered with. This could prevent issues from unauthorized changes by someone with force-push access to GitHub, GitHub itself, or even Google.
I propose adding a -tag flag accepting the following values
all: Check all local git tags against the sumdb. latest: Check only the latest local git tag [version]: Check a specific version (e.g., go mod verify -tag=v1.0.0).
-tag=latest is especially useful as the first command to run after pushing a new tag, as it will have the side-effect of loading it in the sumdb while checking it matches the local repository.