Jacek--
In a similar setup (must be able to build without internet access) we simply used glide on the developer machines, then used https://github.com/Masterminds/rmvcsdir to remove vcs stuff and commit full deps to our local version control -- then all that is needed to build is to clone it and build it, no other steps, no checking the internet for anything. It also gives you fully reproducible builds. Glide still worked for like glide up because it used the glide.yaml I believe. On Fri, Jan 6, 2017, at 11:35, Jacek Furmankiewicz wrote: > Hi everyone, > > We are operating in a SOC2 environment, which our customers demanded > as we host their systems and their data. > It's a common requirement for many companies in a cloud environment. > > One of the key requirements of SOC2 is that *all* external > libraries/depdencies are mirrored internally and *NOT *fetched directly from public Internet during the code building process. > > With our Java apps, this is simple. We have an internal Artifactory > instance and we mirror all the Java libraries from the Maven Central > repository there > (after each and every one of them goes through legal license review, > to exclude GPL, etc). > > All of our build servers are locked down and cannot reach public > Internet, only our local library mirror. > All of our Gradle build scripts are locked down to allow fetching > dependencies from our local Maven mirror only. > > As you can imagine, this is anathema to how entire dependency > management works in Go (and all the related tools, like go get, etc). > > Even if we mirrored Go git repos for the libraries we want in our > internal Stash repository, > pretty much all the current Go build tools (e,g. Glide) would still go > to the public internet to look for dependencies of any library. > > e.g.: > > https://github.com/Masterminds/glide/issues/729 > > > Just wanted to hear if there are any Go shops out there that operate > in a SOC2 environment and what combination of tools / procedures do > you use. > > We are very interested in Go adoption for some of our real-time server- > side applications, but the way dependency management works in Go > is a total showstopper due to the stringent security requirements > of SOC2. > > I would greatly appreciate any input, comments, suggestions from the > Go community. > > Much appreciated > Jacek > > -- > You received this message because you are subscribed to the Google > Groups "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- Robert Melton | rmel...@fastmail.com -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
