How about a flag for 'go list' making the transaction log on
sum.golang.org <http://sum.golang.org> optional?
Or, how about just let users run their own:
sum.wit.com <http://sum.wit.com> # my own immutable transaction log.
I don't see how this helps with your initial request to delete modules
from the proxy.*
*
Ah, poor scripting languages. Since we are a compiler, it's not a fair
fight is it?
The left-pad incident has absolutely nothing to do with how code is
executed. Gophers can delete their repositories just like NodeJS devs can.
Asking to be able to delete errors and mistakes and start over is
reasonable.
It is, and a solution exists: retract all versions of the module and
start over. Inform the users of your module to switch over to the new
namespace. (Give them time.)
If you actually want to /hide/ errors and mistakes, retracting obviously
doesn't help with this. Everyone makes mistakes (I do!), so why not
leave them where they are and simply mark them as such.
We can 'git clone' anything into the namespace at compile time
Not if the repo owner has deleted it. Of course, you can vendor all
direct and indirect dependencies into your repo, if you don't mind the
added work and disk space consumption. But it's not an ideal solution.
some magic super ultra security system that trumps PGP signed git
repositories.
It is, and it doesn't /trump/ PGP signing but complement it. The Go
proxy and its transparency log solve a completely different problem than
commit signing. A signed repo can still be rug-pulled under your feet.
On 09.01.25 01:17, Jeffery Carr wrote:
On Sat, Jan 4, 2025 at 10:54 AM Christoph Berger
<christophberger....@gmail.com> wrote:
> We need "go-delete". Security is not important to us. There
should be a balance between people that need security and people
that don't need it.
Security might not be important to you, but it is important for
the clients of your code
Can't we have both?
How about a flag for 'go list' making the transaction log on
sum.golang.org <http://sum.golang.org> optional?
Or, how about just let users run their own:
sum.wit.com <http://sum.wit.com> # my own immutable transaction log.
Remember left-pad
<https://en.wikipedia.org/wiki/Npm_left-pad_incident#:~:text=As%20a%20result,their%20software%20products.>.
Ah, poor scripting languages. Since we are a compiler, it's not a fair
fight is it?
We can 'git clone' anything into the namespace at compile time.
A per-domain go-delete would not be any better than a global
go-delete.
It certainly is for me.
Asking to be able to delete errors and mistakes and start over is
reasonable.
I made a namespace error that took 3 years to figure out that there
was a better way. Now I can't fix it. Because what?
I assumed the proxy system was intended to make things elegant, fast
and simple, not so much some magic super ultra security system that
trumps PGP signed git repositories.
Happy hacking,
jcarr
As a funny aside, in the 80s movie Real Genius, they design a laser
that ends up being for a space weapon. The transparency log might be
the most reliable missile targeting system being that it's secure,
works everywhere and is anonymous.
go get missle1.cia.gov/41.725556/-49.946944/killbill
<http://missle1.cia.gov/41.725556/-49.946944/killbill> v0.0.2 (that's
the location of the titanic)
Besides this silliness, I would think abuse for nefarious purposes
would be high risk enough that you would want to push the log
responsibility to the namespace owners and wipe your hands of the
abuse problems.
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/golang-nuts/2264e703-c219-4bc3-902b-58e730cfb046%40christophberger.com.
