I'm worried people will forget this is turned off and not realize we're exposing ourselves #12
Comments
|
Further discussion: |
|
Slack context is lost please reopen with context whenever |
|
Context: When we fetch dependencies we were getting 4xx errors because they didn't show up in the module mirror and checksum database (there's a bit of a delay). To avoid this we turned off using the mirror and the checksum db. Doing this opens us up to a potential supply chain attack - since we aren't verifying the sums. Settings are here: https://go.dev/ref/mod#checksum-database |
|
I think the env var settings let you tweak which modules we do verification on - that could be an minimal option here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm worried people will forget this is turned off and not realize we're exposing ourselves
Can we add retries for CI?
Originally posted by @dprotaso in #10 (comment)
The text was updated successfully, but these errors were encountered: