英文:
Why bother with a golang repository (e.g. like Artifactory) for private packages, are GONOSUMDB/GOPRIVATE dangerous somehow?
问题
我正在处理一个私有的 Golang 项目,我在另一个私有项目中使用它。我使用它的 GitHub 仓库进行引用,在设置了 GOPRIVATE(GONOSUMDB 也有效)之后可以正常工作。
- 我的方法可行吗?不设置私有仓库为 GOPRIVATE 或 GONOSUMDB 会有什么原因吗?这样做会使我容易使用到糟糕的项目吗?
- 另外,为什么我要费心使用像 Artifactory 这样的私有仓库?它在使用私有 GitHub 仓库的基础上提供了什么好处?
谢谢你的帮助。
英文:
I am working on a private golang project that I consume in another private project.
i'm referencing it using its github repository, which worked after I set the repo in GOPRIVATE (GONOSUMDB also worked).
- Is my approach ok? is there a reason not to set my private repo to GOPRIVATE or GONOSUMDB do I open myself to consuming bad projects this way?
- In addition, why should I bother with a go, private repository like Artifactory? does it provide any benefit on top of consuming the private github repo?
Thanks for your help.
答案1
得分: 2
与其将存储库视为私有软件包存储库,不如将其视为缓存,并将软件包安全性作为次要考虑因素。
对于Go模块代理、sum数据库和索引,你只需要对代理服务器(https://proxy.golang.org/)保持谨慎,因为它是存储你的源文件的地方。因此,在这种情况下,Go代理等同于Artifactory。
https://www.jfrog.com/confluence/display/JFROG/Go+Registry:
....
远程Go注册表提供了对远程Go资源的代理和缓存功能。
....
英文:
Rather than considering an artifact repository as private package repository you should consider them as a cache and package security as second priority.
For go module proxy, sum db, and index, you should only be cautious with the proxy server (https://proxy.golang.org/) since that where golang "store" your source files. Hence golang proxy == artifactory in this case.
https://www.jfrog.com/confluence/display/JFROG/Go+Registry :
....
Remote Go registries which provide proxy and caching functionality for remote Go resources.
....
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论