Jacek, This is a known usecase, one which other companies also operate under. Right now the tooling isn't great. However this is known and I hope that this will be better addressed in the next 6 months. A number of people will be focusing on dependency management this year. Some projects allow setting origin separately from import path (govendor allows this).
Thanks, -Daniel On Friday, January 6, 2017 at 8:35:41 AM UTC-8, Jacek Furmankiewicz wrote: > > Hi everyone, > > We are operating in a SOC2 environment, which our customers demanded as we > host their systems and their data. > It's a common requirement for many companies in a cloud environment. > > One of the key requirements of SOC2 is that *all* external > libraries/depdencies are mirrored internally and > *NOT*fetched directly from public Internet during the code building > process. > > With our Java apps, this is simple. We have an internal Artifactory > instance and we mirror all the Java libraries from the Maven Central > repository there > (after each and every one of them goes through legal license review, to > exclude GPL, etc). > > All of our build servers are locked down and cannot reach public Internet, > only our local library mirror. > All of our Gradle build scripts are locked down to allow fetching > dependencies from our local Maven mirror only. > > As you can imagine, this is anathema to how entire dependency management > works in Go (and all the related tools, like go get, etc). > > Even if we mirrored Go git repos for the libraries we want in our internal > Stash repository, > pretty much all the current Go build tools (e,g. Glide) would still go to > the public internet to look for dependencies of any library. > > e.g.: > > https://github.com/Masterminds/glide/issues/729 > > > Just wanted to hear if there are any Go shops out there that operate in a > SOC2 environment and what combination of tools / procedures do you use. > > We are very interested in Go adoption for some of our real-time > server-side applications, but the way dependency management works in Go > is a total showstopper due to the stringent security requirements of SOC2. > > I would greatly appreciate any input, comments, suggestions from the Go > community. > > Much appreciated > Jacek > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
