How about a flag for 'go list' making the transaction log on sum.golang.org <http://sum.golang.org> optional?

Or, how about just let users run their own:

sum.wit.com <http://sum.wit.com> # my own immutable transaction log.

I don't see how this helps with your initial request to delete modules from the proxy.*
*

Ah, poor scripting languages. Since we are a compiler, it's not a fair fight is it?

The left-pad incident has absolutely nothing to do with how code is executed. Gophers can delete their repositories just like NodeJS devs can.

Asking to be able to delete errors and mistakes and start over is reasonable.

It is, and a solution exists: retract all versions of the module and start over. Inform the users of your module to switch over to the new namespace. (Give them time.)

If you actually want to /hide/ errors and mistakes, retracting obviously doesn't help with this. Everyone makes mistakes (I do!), so why not leave them where they are and simply mark them as such.

We can 'git clone' anything into the namespace at compile time
Not if the repo owner has deleted it. Of course, you can vendor all direct and indirect dependencies into your repo, if you don't mind the added work and disk space consumption. But it's not an ideal solution.

some magic super ultra security system that trumps PGP signed git repositories.
It is, and it doesn't /trump/ PGP signing but complement it. The Go proxy and its transparency log solve a completely different problem than commit signing. A signed repo can still be rug-pulled under your feet.

On 09.01.25 01:17, Jeffery Carr wrote:
On Sat, Jan 4, 2025 at 10:54 AM Christoph Berger <christophberger....@gmail.com> wrote:

    > We need "go-delete". Security is not important to us. There
    should be a balance between people that need security and people
    that don't need it.

    Security might not be important to you, but it is important for
    the clients of your code


Can't we have both?

How about a flag for 'go list' making the transaction log on sum.golang.org <http://sum.golang.org> optional?

Or, how about just let users run their own:

sum.wit.com <http://sum.wit.com> # my own immutable transaction log.

    Remember left-pad
    
<https://en.wikipedia.org/wiki/Npm_left-pad_incident#:~:text=As%20a%20result,their%20software%20products.>.


Ah, poor scripting languages. Since we are a compiler, it's not a fair fight is it?
We can 'git clone' anything into the namespace at compile time.

    A per-domain go-delete would not be any better than a global
    go-delete.


It certainly is for me.

Asking to be able to delete errors and mistakes and start over is reasonable.

I made a namespace error that took 3 years to figure out that there was a better way. Now I can't fix it. Because what?

I assumed the proxy system was intended to make things elegant, fast and simple, not so much some magic super ultra security system that trumps PGP signed git repositories.

Happy hacking,
jcarr
As a funny aside, in the 80s movie Real Genius, they design a laser that ends up being for a space weapon. The transparency log might be the most reliable missile targeting system being that it's secure, works everywhere and is anonymous. go get missle1.cia.gov/41.725556/-49.946944/killbill <http://missle1.cia.gov/41.725556/-49.946944/killbill> v0.0.2 (that's the location of the titanic) Besides this silliness, I would think abuse for nefarious purposes would be high risk enough that you would want to push the log responsibility to the namespace owners and wipe your hands of the abuse problems.

--
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/golang-nuts/2264e703-c219-4bc3-902b-58e730cfb046%40christophberger.com.

Reply via email to