-
Notifications
You must be signed in to change notification settings - Fork 23
Frequently Asked Questions
With the introduction of Go Modules in Go 1.11, the community is adopting a different approach. The dependencies now cached on your computer are binary archives of the source files and should not be checked into the source control. Instead, Go now resolves missing dependencies directly as binaries or as sources which are packed into binaries before they can be used as dependencies. We truly believe it's the right way to do things. Also, take a look at (this video)[https://youtu.be/KnuJnU35KBM?t=803] (the Why not Vendoring part of it, 3 minutes).
Saying that, if vendoring is working for you at the moment, you do not need Go Modules or GoCenter.
The current resolution of modules uses the git clone command to fetch the module archive if it exists, or the sources if it is missing (most of the libraries today don’t distribute a pre-packaged archive). Not only is git clone not optimized for massive concurrent downloads by CI servers across the world, but it’stime-consuming to package modules from scratch on the client every time the module is needed. GoCenter distributes pre-packaged immutable modules over HTTP.
Two additional benefits provided by GoCenter are persistence and immutability (see below ⬇️).
While a GitHub author can remove the module any time, destroying your build reproducibility, a pre-built artifact of the dependency will remain stored in GoCenter. GoCenter is a source for immutable modules, provided by their authors. We make sure that once the module is added to GoCenter, its metadata and the content of the binary archive won’t change, and you will always get the same binary for the same request.
Won’t a central repository create a single point of failure? What happens if it is not available or out of business?
GoCenter doesn’t host any unique content. You can switch to another source of dependencies at any time by changing the value of the GOPROXY
environment variable.
While we made sure the most popular modules are already in GoCenter, anyone can request a module inclusion. As long as the module is an open source, has an OSS license and is popular enough (meets the stars threshold on GitHub), its sources will be automatically downloaded, packaged and made available for use. The same process will be applied to this module’s transitive dependencies, making sure the complete dependency graph can be successfully resolved from GoCenter.
We respect the original license and copyright.
Immutability is important because having immutable dependencies is the only way to guarantee a reproducible build. If you aren’t sure that module A version 1 is the same artifact today as it was six months ago, you can’t be sure that the code dependent on it behaves the same. Unfortunately, GitHub can’t provide immutability guarantees for at least two reasons:
- GitHub allows force-pushing content to an existing tag, removing the immutability promise of a tag.
- If an author removes a project from GitHub, someone else can create another project under the same name and release binaries under the same coordinates, but with completely different content.
Once we step away from vendoring, we are dealing with a hierarchy of caches, each having their pros and cons:
- Local cache: Exists on your computer. Provides immediate access. Not shared. Not reliable (can be wiped at any moment).
- Organizational cache: JFrog Artifactory or Athens. Provides faster (Intranet) access. Provides reproducible builds as it caches the dependencies used once for build reproduction. Requires team infrastructure. Requires effort to get modules into the cache and maintain them (cleanups, backups, availability).
- Public cache: GoCenter. Provides fast access. Provides reproducible builds as it caches the popular and requested dependencies from version control. Highly available, requires no maintenance from the user and free to use.
Since each one of the layers serves a different purpose for different scenarios, JFrog Artifactory or Athens are not a replacement for GoCenter.
GoCenter is free and does not require any action other than setting the GOPROXY
variable. Once set, your builds are now faster and reproducible.
I heard that Google is planning to offer a central repository for Go Modules. How does GoCenter fit into that?
Like JFrog GoCenter, this service (will) pull modules from original sources and will package and serve them as immutable, trusted modules. We’re excited to see Google acknowledge the pain points that JFrog is currently solving for the community with GoCenter and JFrog Artifactory.
Google also plans to offer concrete APIs and surrounding services around Module Mirrors, including a public feed for new modules. We look forward to working with Google and other vendors to integrate these services into GoCenter once they become available, and to continue to improve the ecosystem of public, trusted Go modules.
There are two options when you can get a "checksum mismatch" error:
- The downloaded file is corrupt if you are a victim of a MITM attack. Check the dependency you're downloading to verify its authenticity.
- You used GoCenter between January 29, 2019, and March 14, 2019, during which period GoCenter generated "smarter", non-empty mod files for the packages it built. While we still believe that was the right solution, the downside of it was an inconsistency with how the
go
client works (generating empty mod file). Because of this inconsistency, the checksums didn't match. If you favored the mod files generated by GoCenter, you'd experience the checksum mismatch with the mod files generated by thego
client and with the modules downloaded from GoCenter after March 14th, 2019. In this case, feel free to delete the localgo.sum
file to let thego
client generate a correct one. Here's the list of modules, for which GoCenter has generated non-empty mod files. Please use it as a reference to determine "non-suspicious" checksum mismatches.