Hacker News new | ask | show | jobs
by kramerger 894 days ago
This is dot-dot release with just a few minor fixes. Not sure why it's on the front page, but since I have your attention... here something I noticed just the other day:

> the go command by default downloads and authenticates modules using the Go module mirror

Maybe I'm reading this incorrectly but it sounds as google will be able to see every dependency for every project I ever work on.

This is the second time Go adds something that can be used to spy on developers. Obviously they pinky promise to not abuse it, by why does this eventually happens to every Google product?
3 comments
dharmab 894 days ago
The Python foundation can see all the dependencies you download from PyPI, and NPM can see all the dependencies you download from NPM/Yarn. This isn't unusual for a package manager.

If you prefer, you can run your own proxy and configure the Go command to use it instead.

Private modules don't use the mirror.

link
kramerger 894 days ago
Unlike the ones you mentioned, Go doesn't have a central repository. The go.mod contains references to git repositories or local folders:

https://go.dev/doc/modules/gomod-ref

Not sure why a proxy is needed.

link
dharmab 894 days ago
It's needed to provide checksums for each module. It also significantly improves performance and prevents a left-pad situation.

https://go.dev/blog/module-mirror-launch

link
kramerger 894 days ago
These are GIT repositories, they have their own cryptographically unique identifiers. No need to send your data to a third-party to get it confirmed.

Maybe I'm missing something, but this whole operation feels like a huge infrastructure paid by Google for something that is not needed.

link
ratorx 894 days ago
> cryptographically unique

Git uses SHA1 which is pretty far from cryptographically secure. It’s unlikely that’s the sole reason for having a separate checksum database though.

link
justinclift 893 days ago
Doing some searching around online, it seems like git introduced sha256 support several years ago.
link
dharmab 894 days ago
Git history can be rewritten or deleted e.g. by the git rebase command. The mirror's checksum DB is independent and prevents your build from breaking or being altered if a dependency is manipulated or deleted.

As sibling comment notes, Git's hashes are not secure: https://shattered.it

link
justinclift 894 days ago
Yeah, people complained fairly loudly about this back when it was implemented, but the Go team just completely ignored the problem.

At least they listened when people complained about the more recent "lets include telemetry in the tool chain" proposal and didn't implement that.

link
MCUmaster 894 days ago
Ugh, more telemetry.
link