Hi everyone, We are operating in a SOC2 environment, which our customers demanded as we host their systems and their data. It's a common requirement for many companies in a cloud environment.
One of the key requirements of SOC2 is that *all* external libraries/depdencies are mirrored internally and *NOT*fetched directly from public Internet during the code building process. With our Java apps, this is simple. We have an internal Artifactory instance and we mirror all the Java libraries from the Maven Central repository there (after each and every one of them goes through legal license review, to exclude GPL, etc). All of our build servers are locked down and cannot reach public Internet, only our local library mirror. All of our Gradle build scripts are locked down to allow fetching dependencies from our local Maven mirror only. As you can imagine, this is anathema to how entire dependency management works in Go (and all the related tools, like go get, etc). Even if we mirrored Go git repos for the libraries we want in our internal Stash repository, pretty much all the current Go build tools (e,g. Glide) would still go to the public internet to look for dependencies of any library. e.g.: https://github.com/Masterminds/glide/issues/729 Just wanted to hear if there are any Go shops out there that operate in a SOC2 environment and what combination of tools / procedures do you use. We are very interested in Go adoption for some of our real-time server-side applications, but the way dependency management works in Go is a total showstopper due to the stringent security requirements of SOC2. I would greatly appreciate any input, comments, suggestions from the Go community. Much appreciated Jacek -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
