Linux distros just going and disabling critical security features like the Go Checksum Database seems like a regular occurrence. It’s unclear to me whether there’s any Linux community that I can identify with enough to run their packages.
I understand that point of view, sort of that google is "too big to fail" and so they would never dare do something like that... but IDK.. I think at least if they are gonna do that they shouldn't hide it and mislead people about it
@forestjohnson the point is that the team went out of their way to build a transparency log to make it impossible to hide misbehavior, which no other centralized language package ecosystem (all of them) did. Calling that telemetry, and a confusing error message misleading (when there’s plenty of docs about the whole thing) is… a choice.
@filippo I use the word "misleading" because pretty much every golang developer I run into (including myself before this issue thread) has no idea that this feature exists, and their mental model of what go get is doing is wrong.
> when there’s plenty of docs about the whole thing
Aka "RTFM", doesn't sound great here.
I _**know**_ it's misleading directly from my lived experience, and from hearing from 90+% of go developers who had exactly the same incorrect mental model of `go get`.
Whether it talks about this in some manual page somewhere or not doesn't really matter; no one is going to read that until after they discover that `go get` isn't doing what they expected.
The affordances and apparent behavior of the tool are the only way to "explain" this to users so they know what they're getting.
> hearing from 90+% of go developers
Sorry, this was worded poorly, what I meant was, everyone I meet who uses go tends to fall into one of three camps:
25%: Knows about go proxy and go sumdb because they read about it on a social media posts like this one
70%: Thinks that `go get` directly connects to the server domain listed in `go.mod`
5%: Knows about go proxy and go sumdb because it broke their build
I have yet to meet anyone who learned about it by reading the documentation.
@filippo Like, even if it just printed a log by default
> Now I am connecting to the default go package proxy `proxy.golang.org`
> Now I am checking this hash `1a2b3c4d5e6f......` against the go sum db at `sum.golang.org`
That would address what I'm complaining about.
Even better, it would overwrite the lines in your `go.mod` , i.e.,
from
```
require (
git.sequentialread.com/forest/config-lite 164dc71bce04989dc5ffbbfd5769a689230f126a
)
```
to
```
require (
proxy.golang.org/git.sequentialread.com/forest/config-lite 164dc71bce04989dc5ffbbfd5769a689230f126a
)
```