Why bother with a golang repository (e.g. like Artifactory) for private packages, are GONOSUMDB/GOPRIVATE dangerous somehow?

huangapple go评论81阅读模式
英文:

Why bother with a golang repository (e.g. like Artifactory) for private packages, are GONOSUMDB/GOPRIVATE dangerous somehow?

问题

我正在处理一个私有的 Golang 项目,我在另一个私有项目中使用它。我使用它的 GitHub 仓库进行引用,在设置了 GOPRIVATE(GONOSUMDB 也有效)之后可以正常工作。

  1. 我的方法可行吗?不设置私有仓库为 GOPRIVATE 或 GONOSUMDB 会有什么原因吗?这样做会使我容易使用到糟糕的项目吗?
  2. 另外,为什么我要费心使用像 Artifactory 这样的私有仓库?它在使用私有 GitHub 仓库的基础上提供了什么好处?

谢谢你的帮助。

英文:

I am working on a private golang project that I consume in another private project.
i'm referencing it using its github repository, which worked after I set the repo in GOPRIVATE (GONOSUMDB also worked).

  1. Is my approach ok? is there a reason not to set my private repo to GOPRIVATE or GONOSUMDB do I open myself to consuming bad projects this way?
  2. In addition, why should I bother with a go, private repository like Artifactory? does it provide any benefit on top of consuming the private github repo?

Thanks for your help.

答案1

得分: 2

与其将存储库视为私有软件包存储库,不如将其视为缓存,并将软件包安全性作为次要考虑因素。

对于Go模块代理、sum数据库和索引,你只需要对代理服务器(https://proxy.golang.org/)保持谨慎,因为它是存储你的源文件的地方。因此,在这种情况下,Go代理等同于Artifactory。

https://www.jfrog.com/confluence/display/JFROG/Go+Registry

....

远程Go注册表提供了对远程Go资源的代理和缓存功能。

....

英文:

Rather than considering an artifact repository as private package repository you should consider them as a cache and package security as second priority.

For go module proxy, sum db, and index, you should only be cautious with the proxy server (https://proxy.golang.org/) since that where golang "store" your source files. Hence golang proxy == artifactory in this case.

https://www.jfrog.com/confluence/display/JFROG/Go+Registry :

....

Remote Go registries which provide proxy and caching functionality for remote Go resources.

....

huangapple
  • 本文由 发表于 2021年6月22日 20:48:08
  • 转载请务必保留本文链接:https://go.coder-hub.com/68083832.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定