[dharmab]

The Python foundation can see all the dependencies you download from PyPI, and NPM can see all the dependencies you download from NPM/Yarn. This isn't unusual for a package manager.

If you prefer, you can run your own proxy and configure the Go command to use it instead.

Private modules don't use the mirror.

[kramerger]

Unlike the ones you mentioned, Go doesn't have a central repository. The go.mod contains references to git repositories or local folders:

https://go.dev/doc/modules/gomod-ref

Not sure why a proxy is needed.

[dharmab]

It's needed to provide checksums for each module. It also significantly improves performance and prevents a left-pad situation.

https://go.dev/blog/module-mirror-launch

[kramerger]

These are GIT repositories, they have their own cryptographically unique identifiers. No need to send your data to a third-party to get it confirmed.

Maybe I'm missing something, but this whole operation feels like a huge infrastructure paid by Google for something that is not needed.

[ratorx]

> cryptographically unique

Git uses SHA1 which is pretty far from cryptographically secure. It’s unlikely that’s the sole reason for having a separate checksum database though.

[justinclift]

Doing some searching around online, it seems like git introduced sha256 support several years ago.

[dharmab]

Only for some local operations- git protocol still uses SHA-1 for compatibility with old clients, and existing SHA-1 objects in old repositories aren't converted.

[dharmab]

Git history can be rewritten or deleted e.g. by the git rebase command. The mirror's checksum DB is independent and prevents your build from breaking or being altered if a dependency is manipulated or deleted.

As sibling comment notes, Git's hashes are not secure: https://shattered.it