**Filippo Valsorda** @filippo@abyssdomain.expert · Nov 01, 2023, 00:18

**Filippo Valsorda** @filippo@abyssdomain.expert · Nov 01, 2023, 00:18

Filippo Valsorda @filippo@abyssdomain.expert

Nov 01, 2023, 00:18

Filippo Valsorda @filippo@abyssdomain.expert

Linux distros just going and disabling critical security features like the Go Checksum Database seems like a regular occurrence. It’s unclear to me whether there’s any Linux community that I can identify with enough to run their packages.

https://mas.to/@zekjur/111331838497984181

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 06:09

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 06:09

Dec 31, 2023, 06:09

Forest @forestjohnson@pixie.town

@filippo

I understand that point of view, sort of that google is "too big to fail" and so they would never dare do something like that... but IDK.. I think at least if they are gonna do that they shouldn't hide it and mislead people about it

https://github.com/golang/go/issues/51174

**Filippo Valsorda** @filippo@abyssdomain.expert · Dec 31, 2023, 08:42

**Filippo Valsorda** @filippo@abyssdomain.expert · Dec 31, 2023, 08:42

Dec 31, 2023, 08:42

Filippo Valsorda @filippo@abyssdomain.expert

@forestjohnson the point is that the team went out of their way to build a transparency log to make it impossible to hide misbehavior, which no other centralized language package ecosystem (all of them) did. Calling that telemetry, and a confusing error message misleading (when there’s plenty of docs about the whole thing) is… a choice.

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 15:11

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 15:11

Dec 31, 2023, 15:11

Forest @forestjohnson@pixie.town

@filippo I use the word "misleading" because pretty much every golang developer I run into (including myself before this issue thread) has no idea that this feature exists, and their mental model of what go get is doing is wrong.

533aefdf9258aa28.png

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 15:17

**Forest** @forestjohnson@pixie.town · Dec 31, 2023, 15:17

Dec 31, 2023, 15:17

Forest @forestjohnson@pixie.town

@filippo

> when there’s plenty of docs about the whole thing

Aka "RTFM", doesn't sound great here.

I _**know**_ it's misleading directly from my lived experience, and from hearing from 90+% of go developers who had exactly the same incorrect mental model of `go get`.

Whether it talks about this in some manual page somewhere or not doesn't really matter; no one is going to read that until after they discover that `go get` isn't doing what they expected.

The affordances and apparent behavior of the tool are the only way to "explain" this to users so they know what they're getting.

**Forest** @forestjohnson@pixie.town · 2023-12-31T15:24:18Z

Forest @forestjohnson@pixie.town

@filippo Like, even if it just printed a log by default

> Now I am connecting to the default go package proxy `proxy.golang.org`

> Now I am checking this hash `1a2b3c4d5e6f......` against the go sum db at `sum.golang.org`

That would address what I'm complaining about.

Even better, it would overwrite the lines in your `go.mod` , i.e.,

from

```
require (
git.sequentialread.com/forest/config-lite 164dc71bce04989dc5ffbbfd5769a689230f126a
)
```

```
require (
proxy.golang.org/git.sequentialread.com/forest/config-lite 164dc71bce04989dc5ffbbfd5769a689230f126a
)
```

Dec 31, 2023, 15:24 · · · ·

Resources

Developers

What is Mastodon?

pixie.town

More…