I'm worried people will forget this is turned off and not realize we're exposing ourselves

knative / hack

Knative common scripts.

Apache License 2.0

18 stars 64 forks source link

I'm worried people will forget this is turned off and not realize we're exposing ourselves #12

Open n3wscott opened 4 years ago

n3wscott commented 4 years ago

I'm worried people will forget this is turned off and not realize we're exposing ourselves

Can we add retries for CI?

Originally posted by @dprotaso in https://github.com/knative/hack/pull/10#issuecomment-720670333

dprotaso commented 4 years ago

Further discussion: https://knative.slack.com/archives/CCSNR4FCH/p1604425778429100

krsna-m commented 1 year ago

Slack context is lost please reopen with context whenever

dprotaso commented 1 year ago

Context:

When we fetch dependencies we were getting 4xx errors because they didn't show up in the module mirror and checksum database (there's a bit of a delay). To avoid this we turned off using the mirror and the checksum db. Doing this opens us up to a potential supply chain attack - since we aren't verifying the sums.

Settings are here: https://go.dev/ref/mod#checksum-database

dprotaso commented 1 year ago

I think the env var settings let you tweak which modules we do verification on - that could be an minimal option here.