On Tue, Apr 30, 2019 at 5:07 AM Jakub Cajka <jca...@redhat.com> wrote:
> > Our privacy policy explains how we collect and use your information. The > > privacy policy for all of these services is proxy.golang.org/privacy. > > if I'm not mistaken the page that you are linking for privacy information > of the proxy seems not related to it at all. It looks like some sort of > generic terms that Google is using for all of its services. It is not > describing what is collected and what for, how and where it is retained and > stored, etc. in context of the proxy/this new google service. > > Could you expand on these topics in actual go proxy context, please? What > are you collecting/are you planning on collecting and what for? > That's right - the privacy policy for the servers is currently Google's standard privacy policy, so that URL is a simple redirect. We very much want to provide more specific information in the future. When that happens, proxy.golang.org/privacy will be updated to either redirect to the more specific policy or serve it directly. That's all I can say right now. > The module checksum database at sum.golang.org serves the URLs described > in > > the Secure the Public Go Module Ecosystem > > <https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md> > > With brief look on the proposal, just from the technical > perspective(kind of including modules too). Little has changed from my > perspective since the initial proposal. I'm still worried that I will have > to disabled/de-configured or at worst case scenario even patch it (out) to > make our build system in Fedora work with Go sources that we are > curating/shipping/using(i.e. occasional need to carry downstream/backport > patches). Leaving out for now the privacy/MITM concerns which look nearly > the same(i.e. IMHO not resolved) as previously. > Yes, we still have open issues to address those various concerns. Note that right now the proxy and checksum database are still disabled by default. Even once they are enabled, all you need to do to bypass them is: export GOPROXY=direct; export GONOSUMDB='*' Now that the server is available for public alpha testing I intend to circle back to trying to work out the best path forward for repackagers like Fedora and for those concerned about privacy. It's easier to have those conversations if you can show working code. Is there anywhere a place where I or anyone else could pull the sources and > contribute to all of these new Go features/services that you are > deploying/running, or so I/anyone could potentially even run my own > instances of proxy.golang.org, sum.golang.org and index.golang.org and > help with devel? > There isn't right now, because they are tied a bit to Google infrastructure. For proxy.golang.org, as I mentioned in my reply to Marwan, we intend to publish a short reference proxy that people can adapt as needed, and of course there is also Athens already. For sum.golang.org, there is a reference implementation in golang.org/cl/161665 and related CLs; those will land at golang.org/x/exp/sumdb/... and eventually move to a more permanent location. There's no reference for index.golang.org but it's little more than a seekable append-only file. Best, Russ -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
