Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: [modules + integration] per-goproxy disabling of any notary check #31306
This report is part of a series, filled at the request of @mdempsky, focused at making Go modules integrator-friendly.
Please do not close or mark it as duplicate before making sure you’ve read and understood the general context. A lot of work went into identifying problems points precisely.
The check disabling needs to be per-module source, not per-module-match or for all, like in
The whole point of working in a trusted baseline mode is the ability to inject last-mile critical fixes in the third party modules used, and avoid lockdown while their upstream considers how it wants to fix identified problems. Therefore, any baseline module is likely not matching any external public notary hash. And this is not a problem.
Moreover, any module produced by intermediary
Asking a remote notary to attest you can use files you’ve just produced yourself would be more than slightly masochistic.
However, just because one needs to disable notary checks for internal goproxy module sources, does not mean that one would like to disable verifications for other modules sources like the internet.