On Wed, 12 Dec 2018 22:15:23 -0800 (PST) snmed <sandro.p.da...@gmail.com> wrote:
> Thank you very much for your reply. It seems to be a possible way to do it, > what do you think about the athens way? >From the secop pov it'll be a hells gate. Also it does not allow for vetted binary arifacts as current unix/Go ways do. > what do you think about the athens way? 1) Athens is in flux. 2) It is yet another complicated piece of software to analyze and monitor. 3) It again brings all compiling to the local machine while GOPATH way allows all devs to use binary artifacts built on the hardened builder machine. > In my point of view it would be the easiest way as far i can preload the > athens cache with all the required packages. So the security team will need to produce an internal vetted package instead of signing a tag within the IDP 3rd party package repo. (IMO whole idea of "zipped packages" is the bad J-flu infection... Ah - CoC) > And then the only thing a developer has to do, is to set the GOPROXY to the > athens instance. It fits loose distributed settings. Not controlled ones. And I -- from "offline"/"airgap" constraint -- assumed that your client is concerned about security, not about connectivity. Hope this helps, -- Wojciech S. Czarnecki << ^oo^ >> OHIR-RIPE -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
