Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: [modules + integration] per-goproxy disabling of any notary check #31306

Open
nim-nim opened this issue Apr 6, 2019 · 0 comments

Comments

@nim-nim
Copy link

commented Apr 6, 2019

This report is part of a series, filled at the request of @mdempsky, focused at making Go modules integrator-friendly.

Please do not close or mark it as duplicate before making sure you’ve read and understood the general context. A lot of work went into identifying problems points precisely.

Needed feature

Go needs to allow disabling any notary check on specific goproxy sources (#31304)

The check disabling needs to be per-module source, not per-module-match or for all, like in GONOVERIFY.

Constrains

  • the disabling needs to apply on specific goproxy sources

Motivation

The whole point of working in a trusted baseline mode is the ability to inject last-mile critical fixes in the third party modules used, and avoid lockdown while their upstream considers how it wants to fix identified problems. Therefore, any baseline module is likely not matching any external public notary hash. And this is not a problem.

Moreover, any module produced by intermediary go mod pack (issue #31302) calls can’t have been vouched for by any notary by construction:

  • it has just been created within the same CI/CD job
  • the CI/CD will typically block remote network calls.

Asking a remote notary to attest you can use files you’ve just produced yourself would be more than slightly masochistic.

However, just because one needs to disable notary checks for internal goproxy module sources, does not mean that one would like to disable verifications for other modules sources like the internet.

@nim-nim nim-nim changed the title [modules + integration] Per-goproxy disabling of any notary check [modules + integration] per-goproxy disabling of any notary check Apr 6, 2019

@thepudds thepudds changed the title [modules + integration] per-goproxy disabling of any notary check cmd/go: [modules + integration] per-goproxy disabling of any notary check Apr 6, 2019

@thepudds thepudds added the modules label Apr 6, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.