build: use GOPROXY and disable download on some steps #7745
Conversation
sapk
changed the title
Codecov Report
@@ Coverage Diff @@
## master #7745 +/- ##
==========================================
- Coverage 41.27% 41.27% -0.01%
==========================================
Files 472 472
Lines 63854 63854
==========================================
- Hits 26356 26353 -3
- Misses 34061 34063 +2
- Partials 3437 3438 +1
Continue to review full report at Codecov.
|
GiteaBot
added
the
lgtm/need 2
lafriks
added
the
topic/build
GiteaBot
added
lgtm/need 1
GiteaBot
added
lgtm/done
|
Go1.13 will have the possibility to define multiple proxy source and we could set first the "standard" one and in second the China one. Maybe I should create an issue to track this needed change ? |
|
I can't trust builds using a private GOPROXY hosted in China. |
|
I don't trust |
|
@atomi https://github.com/go-gitea/gitea/blob/master/go.sum has all dependency checksums that are checked on dependency download that are verified so no tampering code in proxy is possible |
|
I specificaly only set the GOPROXY only for CI so that go.sum are not generated via proxy. |
|
@lafriks Thanks. I don't know if sum.golang.org is also blocked by China. The module system uses a 'trust on first use' see relevant issue golang/go#25530 Since CI is already being provided a sum file this may be okay if we're sure the sum file has not been tampered with. 🤷♂️ Edit: Here is a proposal with some background if you're interested. https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md |
|
@lunny Sorry. I meant any private proxy. Not because it's China specifically. We should not trust proxy.golang.org as you say either which is what the sumdb is supposed to address. |
|
The advantage of the go.sum file is that everyone can check it from it own point of view. For the GOSUM, I planned to add it as an extra step and it should not be blocked from china. If I am not mistaken the main concern for China is the ability to share data via those kind of platform (similar to play.golang.org) but that is not the case for GOSUM. Like always (for every software) deps are a security issue. This PR does not change local build process to let everyone build gitea like they want. But if your risk model, include go.sum to be tempered by any methods be sure to recheck it before build since the deps are vendored the build may blindly compile with tempered data depending on how you compile. From gitea point of view risk model, If something can temper go.sum and vendor it means that it have enough access to directly upload binary to releases (which is far more easy and silent). On other side, the more people build them self gitea the more it can be potential contributor later and that always a good point so what ever the reason I can always recommand to build gitea yourself. |
|
@lunny we need to check them always also as otherwise how we will know if PR is correct |
|
Now we only download at build step so it will only checked at this step. |
This PR set GOPROXY to speed-up CI process and serve as cache in case if gitea.com is down.
I setup it to use https://goproxy.cn since it is the only available worldwide.
I didn't change the Makefile to not impact build by user but only build on CI.