↳
In-reply-to
»
@prologic From Russ Cox: "note that if you set GOPROXY=direct, the go command still uses the checksum database to protect against supply chain attacks. If you really want the go command not to use servers, you also need to set GOSUMDB=off."
⤋ Read More
@ocdtrekkie@twtxt.net Yes but think about it… (not that I’m defending Google™ here), if you were to implement this yourself, you would have to separate out the “fetching a package” vs. “verifying the integrity of a package” right? – Put another way, you wouldn’t trust the checksum/integrity of a package from the source you got the package from (in this case Git) would you? The only wati you could do this is if the checksum was also signed with a key. Even as I write this, I’m not even sure if the GOSUMDB mechanisms can be trusted at all either, as it assumes the “checksums” haven’t been tampered with by Google™ themselves, meaning that in a supply-chain-attack, you have to trust Google™ 🤦♂️