Go modules services
source link: https://proxy.golang.org/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Go Module Mirror, Index, and Checksum Database
The Go team is providing the following services run by Google: a module mirror for accelerating Go module downloads, an index for discovering new modules, and a global go.sum database for authenticating module content.
As of Go 1.13, the go command by default downloads and authenticates modules using the Go module mirror and Go checksum database. See proxy.golang.org/privacy for privacy information about these services and the go command documentation for configuration details including how to disable the use of these servers or use different ones. If you depend on non-public modules, see the documentation for configuring your environment.
Services
proxy.golang.org - a module mirror
which meets the spec provided at go help goproxy. For users downloading large
numbers of modules (e.g. for bulk static analysis), the mirror supports a non-standard header,
Disable-Module-Fetch: true that instructs it to return only cached content.
This will avoid slow downloads, at the cost of possibly missing some rarely-used modules.
sum.golang.org - an auditable checksum database which will be used by the go command to authenticate modules. Check out the Secure the Public Go Module Ecosystem Proposal for more details.
index.golang.org - an index which serves a feed of new module versions that become available by proxy.golang.org. The feed can be viewed at https://index.golang.org/index. The feed is served as new line delimited JSON, providing the module path (as Path), the module version (as Version), and the time it was first cached by proxy.golang.org (as Timestamp). The list is sorted in chronological order. There are two optional parameters:
- 'since': the oldest allowable timestamp (RFC3339 format) for module versions in the returned list. Default is the beginning of time, e.g. https://index.golang.org/index?since=2019-04-10T19:08:52.997264Z
- 'limit': the maximum length of the returned list. Default = 2000, Max = 2000, e.g. https://index.golang.org/index?limit=10
Disable-Module-Fetch header, described above.
Status: Launched
These services are ready for production use. Please file issues if you spot them, with the title prefix "proxy.golang.org": (or index.golang.org, or sum.golang.org).
Environment setup
These services can only access publicly available source code. If you depend on private
modules, set GOPRIVATE to a glob pattern that covers them. See
Module configuration for non-public modules
in the go command documentation for more details.
For versions earlier than Go 1.13, you can configure the go command to download modules using
this module mirror by setting GOPROXY=https://proxy.golang.org.
To opt-out of this module mirror, you can turn it off by setting GOPROXY=direct
See the go command documentation for other configuration details.
Checksum database
Older versions of the go command cannot directly use the checksum database. If you are using Go 1.12 or earlier, you can manually check a go.sum file against the checksum database with gosumcheck:
go get golang.org/x/mod/gosumcheck
gosumcheck /path/to/go.sum
I committed a new change (or released a new version) to a repository, why isn't it showing up
when I run go get -u or go list -m --versions?
In order to improve our services' caching and serving latencies, new versions may not show up
right away. If you want new code to be immediately available in the mirror, then first make sure
there is a semantically versioned tag for this revision in the underlying source repository.
Then explicitly request that version via go get module@version. After one minute
for caches to expire, the go command will see that tagged version. If this doesn't work for you,
please file an issue.
I removed a bad release from my repository but it still appears in the mirror, what should I do?
Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.
I'm running the go command in an environment that can't use the mirror.
The go command documentation describes the configuration details including how to disable the use of these servers or use different ones.
If I don't set GOPRIVATE and request a private module from these services,
what leaks?
The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn't published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.
Why did a previously available module become unavailable in the mirror?
proxy.golang.org does not save all modules forever. There are a number of reasons for this, but one reason is if proxy.golang.org is not able to detect a suitable license. In this case, only a temporarily cached copy of the module will be made available, and may become unavailable if it is removed from the original source and becomes outdated. The checksums will still remain in the checksum database regardless of whether or not they have become unavailable in the mirror.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK