On Monday, October 10, 2022 at 3:11:06 PM UTC+8 Brian Candler wrote:
> > By the go module cache system design, if you trust the server set in > your GOSUMDB env var, > > which is defaulted to sum.golang.org, then it is not a matter whatever > proxy server your are using. > > From the point of view of downloaded package integrity, yes. > > But there are other things an untrustworthy proxy might do - such as > tracking what packages and versions you use, identifying which clients are > using packages with known security vulnerabilities, selling that data on to > third parties etc. > This is true for any website we visit daily. :D -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/6bcbf0bf-1988-446b-ba80-1093786113b9n%40googlegroups.com.
