[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #32027 [Applications/Tor Browser]: Bump version of Go to 1.13+
#32027: Bump version of Go to 1.13+
--------------------------------------+---------------------------
Reporter: cohosh | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points: snowflake
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+---------------------------
Comment (by dcf):
Another thing to watch out for in Go 1.13. By default, even commands like
`go build` will phone home to proxy.golang.org and sum.golang.org. See:
* https://golang.org/doc/go1.13#modules
* https://proxy.golang.org/
> As of Go 1.13, the go command by default downloads and authenticates
modules using the Go module mirror and Go checksum database.
* https://golang.org/cmd/go/#hdr-Module_downloading_and_verification
> The go command can fetch modules from a proxy or connect to source
control servers directly, according to the setting of the GOPROXY
environment variable (see 'go help env'). The default setting for GOPROXY
is "https://proxy.golang.org,direct";, which means to try the Go module
mirror run by Google and fall back to a direct connection if the proxy
reports that it does not have the module (HTTP error 404 or 410).
The phone-home behavior is annoying, but probably mostly harmless in the
rbm context. To disable the proxy.golang.org reporting, you can set
`GOPROXY=direct` -- but even better for us may be `GOPROXY=off`, which is
supposed to "disallow downloading modules from any source," which is what
we want during the offline portion of the build.
To disable the sum.golang.org reporting, you can set `GOSUMDB=off`.
https://golang.org/cmd/go/#hdr-Module_authentication_failures
> If GOSUMDB is set to "off", or if "go get" is invoked with the -insecure
flag, the checksum database is not consulted, and all unrecognized modules
are accepted, at the cost of giving up the security guarantee of verified
repeatable downloads for all modules.
I personally had problems this week with checksum mismatches using
go1.13.1 -- it turns out they changed how checksums are calculated with
respect to symlinks, or something, and invalidated previous checksums. I
tried clearing my cache and everything, and could not get
https://github.com/lucas-clemente/quic-go to build using go1.13.1 because
of checksum mismatches. So if you get "checksum mismatch" errors, it's
something related to that.
* https://github.com/golang/go/issues/29278
*
https://github.com/search?utf8=%E2%9C%93&q=golang+checksum+mismatch&type=Issues
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32027#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs