> All of our build servers are locked down and cannot reach public Internet, only our local library mirror.
With this in mind, you could use gvt https://github.com/FiloSottile/gvt all your devs should use it to fetch dependencies, yes, they would use open internet, but only while they get their app working, at commit time, you only commit the manifest file, a sample file looks like: { "version": 0, "dependencies": [ { "importpath": "github.com/dgryski/dkeyczar", "repository": "https://github.com/dgryski/dkeyczar";, "vcs": "git", "revision": "05c8ea381e02781927d6c633076910b86c6ce770", "branch": "master", "notests": true }, { "importpath": "github.com/golang/glog", "repository": "https://github.com/golang/glog";, "vcs": "git", "revision": "23def4e6c14b4da8ac2ed8007337bc5eb5007998", "branch": "master", "notests": true } ] } This is a simple json file. You then need to provide your layers with a way to have in a central place, a list of the approved Go dependencies so you can pick these fields: importpath": "github.com/golang/glog", "repository": "https://github.com/golang/glog";, "vcs": "git", "revision": "23def4e6c14b4da8ac2ed8007337bc5eb5007998", "branch": "master", You will also create a builder $GOPATH with all these approved dependencies (like someone else already suggested) Once you have that, the build server would first run your tool to make sure that every single entry on the manifest file is in the lawyer approved list, down to the commit, if that passes, then you run gvt restore, which will look at the manifest file and download all the dependencies into the vendor folder of the current project. Oh, and just in case you have more of those non law abiding devs, as part of the build, you can first make sure that the vendor folder is empty and only has the manifest file, so nobody can sneak in a committed dependency. gvt restore would use the approved GOPATH so it will not need internet access. I think this covers all the restrictions you need. Hope it helps. Diego On Friday, January 6, 2017 at 11:35:41 AM UTC-5, Jacek Furmankiewicz wrote: > > Hi everyone, > > We are operating in a SOC2 environment, which our customers demanded as we > host their systems and their data. > It's a common requirement for many companies in a cloud environment. > > One of the key requirements of SOC2 is that *all* external > libraries/depdencies are mirrored internally and > *NOT*fetched directly from public Internet during the code building > process. > > With our Java apps, this is simple. We have an internal Artifactory > instance and we mirror all the Java libraries from the Maven Central > repository there > (after each and every one of them goes through legal license review, to > exclude GPL, etc). > > All of our build servers are locked down and cannot reach public Internet, > only our local library mirror. > All of our Gradle build scripts are locked down to allow fetching > dependencies from our local Maven mirror only. > > As you can imagine, this is anathema to how entire dependency management > works in Go (and all the related tools, like go get, etc). > > Even if we mirrored Go git repos for the libraries we want in our internal > Stash repository, > pretty much all the current Go build tools (e,g. Glide) would still go to > the public internet to look for dependencies of any library. > > e.g.: > > https://github.com/Masterminds/glide/issues/729 > > > Just wanted to hear if there are any Go shops out there that operate in a > SOC2 environment and what combination of tools / procedures do you use. > > We are very interested in Go adoption for some of our real-time > server-side applications, but the way dependency management works in Go > is a total showstopper due to the stringent security requirements of SOC2. > > I would greatly appreciate any input, comments, suggestions from the Go > community. > > Much appreciated > Jacek > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
