Follow

The Go module proxy world is making me nervous with its use of immutable, cached modules and unchangeable module checksums. The intention is good, but the real world is always more nuanced and complex than 'once someone fetches something from you it can never change and never be removed'.

(Note that I didn't say 'published'. People can fetch from you before you've officially 'published' as you consider it, or without it at all.)

In a world with mutable source code and tags, people pulling things from you that you didn't intend them to is their problem; you can change your history, your tags, and your repo as you want. In a world of cached immutable modules, it is suddenly your problem. Other people have the power to easily freeze and make available your work for all time.

@cks Push when you ready. Or upload tarballs to an FTP server if the modern world is too scary.

@pro Well, life is going to be interesting for the proxy operators when the first claims/reports about DMCA violations, trade secrets, or copyright violations in published modules start rolling in. Some of the organizations involved should be partially prepared, at least (eg Google, who already deal with many of them in other services).

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!