Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: GOSUMDB accepts a list of sumdb URLs #44936

Open
oiooj opened this issue Mar 11, 2021 · 6 comments
Open

proposal: GOSUMDB accepts a list of sumdb URLs #44936

oiooj opened this issue Mar 11, 2021 · 6 comments
Labels
Projects
Milestone

Comments

@oiooj
Copy link
Member

@oiooj oiooj commented Mar 11, 2021

Maybe we need to support to configure GOSUMDB in a list format, just like GOPROXY. For example:

GOSUMDB="sum.mycompany.com,sum.golang.org"

or

GOSUMDB="sum.mycompany.com,gosum.io,off"

We maintain an internal sumdb service for all Go developers in our company for security, and we hope they can build their personal project outside the company, but thy need to change GOSUMDB back to sum.golang.org now since they can't access the internal sumdb service.

Like GOPROXY, Successful HTTP responses must have the status code 200 (OK). Redirects (3xx) are followed. Responses with status codes 4xx and 5xx are treated as errors. The error codes 404 (Not Found) and 410 (Gone) indicate that the requested data is not available on the server, but it may be found elsewhere.

List elements may be separated by commas (,) or pipes (|), which determine error fallback behavior. When a URL is followed by a comma, the go command falls back to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL is followed by a pipe, the go command falls back to later sources after any error, including non-HTTP errors such as timeouts.

@gopherbot gopherbot added this to the Proposal milestone Mar 11, 2021
@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Mar 11, 2021

I had not heard yet of internal sumdb deployments, so I would love to hear more about how and why you set it up, and your experience with it. I assume it also answers for public modules, in addition to internal ones? Does it obtain those checksums from sum.golang.org?

Is the issue that you want clients to fallback to sum.golang.org when your internal sumdb is not available? Why/when would it not be available? Is it when a VPN is not active, for example?

@ianlancetaylor ianlancetaylor added this to Incoming in Proposals Mar 11, 2021
@oiooj
Copy link
Member Author

@oiooj oiooj commented Mar 12, 2021

I had not heard yet of internal sumdb deployments, so I would love to hear more about how and why you set it up, and your experience with it. I assume it also answers for public modules, in addition to internal ones?

The internal sumdb server for internal public modules to ensure the integrity of the module. For example, in my company there are more than 30 thousand developers, if someone retag a module, it's very easy to find it using internal sumdb.

Does it obtain those checksums from sum.golang.org?

No, sum.golang.org can not recored internal modules of course.

Is the issue that you want clients to fallback to sum.golang.org when your internal sumdb is not available? Why/when would it not be available? Is it when a VPN is not active, for example?

If I want to compile a my own project on the weekend, I don’t want to connect to the company VPN. But I need to change the environment now.

@rsc
Copy link
Contributor

@rsc rsc commented Mar 24, 2021

What is the threat model where an internal sumdb is needed for internal packages?
Is the idea to detect attackers who have taken control of your own internal source code repositories?
If they have done that, then I'm a little skeptical about assuming they don't also take control of the sumdb.

@oiooj
Copy link
Member Author

@oiooj oiooj commented Mar 29, 2021

What is the threat model where an internal sumdb is needed for internal packages?

Suppose a project A of my team depends on the project B v1.0.0 of another team, if the team modified B v1.0.0 quietly, our team can easily find the change via internal sumdb service.

The quietly change (remake version) may cause irreparable damage, although we all know that remake a version is not recommended.

@rsc
Copy link
Contributor

@rsc rsc commented Apr 7, 2021

Project A's go.sum file will detect the case of B v1.0.0 changing underfoot.

The checksum database is for when you are introducing a new dependency, to make sure you get the one others are getting (no man-in-the-middle attacks on you).

@oiooj
Copy link
Member Author

@oiooj oiooj commented Apr 8, 2021

Project A's go.sum file will detect the case of B v1.0.0 changing underfoot.

The checksum database is for when you are introducing a new dependency, to make sure you get the one others are getting (no man-in-the-middle attacks on you).

Yes, but module B is an internal package, it can't be logged in go.sum file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Proposals
Incoming
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants