I'm not sure if i fully understand your point on "vetted binaries", but if every source code is vetted and then transferred to the isolated environment, there should not be a problem with security issues. All the developer machine living already in the same isolated environment and also i would place athens there, so all builds will be made with vetted source code.
It's easily possible that i miss some import point in this scenario, but anyway i will verify your idea and take it into account for our go development strategy. Am Donnerstag, 13. Dezember 2018 10:38:30 UTC+1 schrieb ohir: > > On Wed, 12 Dec 2018 22:15:23 -0800 (PST) > snmed <sandro....@gmail.com <javascript:>> wrote: > > > Thank you very much for your reply. It seems to be a possible way to do > it, > > what do you think about the athens way? > > From the secop pov it'll be a hells gate. Also it does not allow for > vetted binary arifacts as current unix/Go ways do. > > > what do you think about the athens way? > > 1) Athens is in flux. 2) It is yet another complicated piece of software > to analyze and monitor. 3) It again brings all compiling to the local > machine while GOPATH way allows all devs to use binary artifacts built > on the hardened builder machine. > > > In my point of view it would be the easiest way as far i can preload the > > athens cache with all the required packages. > > So the security team will need to produce an internal vetted package > instead > of signing a tag within the IDP 3rd party package repo. > > (IMO whole idea of "zipped packages" is the bad J-flu infection... Ah - > CoC) > > > And then the only thing a developer has to do, is to set the GOPROXY to > the > > athens instance. > > It fits loose distributed settings. Not controlled ones. And I -- from > "offline"/"airgap" constraint -- assumed that your client is concerned > about > security, not about connectivity. > > Hope this helps, > > -- > Wojciech S. Czarnecki > << ^oo^ >> OHIR-RIPE > > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
