Go module proxy
source link: https://beta.gobuilds.org/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Gobuild: reproducible binaries with the Go module proxy
Gobuild deterministically compiles programs written in Go that are available through the Go module proxy, and returns the binary.
The Go module proxy ensures source code stays available, and you are highly likely to get the same code each time you fetch it. Gobuild aims to do the same for binaries.
Try a module
Recent builds
You can compose URLs to a specific module, build or result:
- /module
- /module@version/package/goos-goarch-goversion/
- /module@version/package/goos-goarch-goversion/sum/
Examples
The first URL fetches the requested Go module to find the commands (main packages). In case of a single command, it redirects to a URL of the second form. In case of multiple commands, it lists them, linking to URLs of the second form. Links are to the latest module and Go versions, and with goos/goarch guessed based on user-agent.
The second URL first resolves "latest" for the module and Go version with a redirect. For URLs with explicit versions, it starts a build for the requested parameters if no build is available yet. After a successful build, it redirects to a URL of the third kind.
The third URL represents a successful build. The URL includes the sum: The versioned raw-base64-url-encoded 20-byte prefix of the sha256 sum. The page links to the binary, the build output log file, and to builds of the same command with different module versions, goversions, goos/goarch.
You need not and cannot refresh a successful build: it would yield the same result.
Transparency log
Gobuild maintains a transparency log containing the hashes of all successful builds, similar to the Go module checksum database. Gobuild's "get" subcommand looks up a content hash through the transparency log, locally keeping track of the last known tree state. This ensures the list of successful builds and their hashes is append-only, and modifications or removals by the server will be detected when you run "gobuild get".
Examples
gobuild get github.com/mjl-/gobuild@latest
gobuild get -sum 0N7e6zxGtHCObqNBDA_mXKv7-A9M -target linux/amd64 -goversion go1.14.1 github.com/mjl-/[email protected]
If you run your own gobuild instance, specify the verifierkey on the command-line:
gobuild get -verifierkey beta.gobuilds.org+3979319f+AReBl47t6/Zl24/pmarcKhJtsfAU2c1F5Wtu4hrOgOQQ ...
Details
Only "go build" is run, for pure Go code. None of "go test", "go generate", build tags, cgo, custom compile/link flags, makefiles, etc. This means gobuild cannot build all Go applications.
Gobuild looks up module versions through the Go module proxy. That's why shorthand versions like "@v1" don't resolve.
The go.mod of a project must be complete and clean: no missing dependencies, no replace statements, module name must match requested build.
Gobuild automatically downloads a Go toolchain (SDK) from https://go.dev/dl/ when it is first referenced. It also periodically queries that page for the latest supported releases, for redirecting to the latest supported toolchains.
Gobuild can be configured to verify builds with other gobuild instances, requiring all to return the same hash for a build to be considered successful.
To build, gobuild executes:
GO19CONCURRENTCOMPILATION=0 GO111MODULE=on GOPROXY=https://proxy.golang.org/ CGO_ENABLED=0 GOOS=$goos GOARCH=$goarch $goversion install -trimpath -ldflags=-buildid= -- $module/$package@$version
It's easy to run a local or internal gobuild instance. For configuration details, see this empty example config.
Code is available at github.com/mjl-/gobuild, under MIT-license.
Why gobuild
Get binaries for any module without having a Go toolchain installed: Useful when working on a machine that's not yours, or for your colleagues or friends who don't have a Go compiler installed.
Simplify your software release process: You no longer need to cross compile for many architectures and upload binaries to a release page. You never forget a GOOS/GOARCH target. Just link to the build URL for your module and binaries will be created on demand.
Binaries for the most recent Go toolchain: Go binaries include the runtime and standard library of the Go toolchain used to compile, including bugs. Gobuild links or can redirect to binaries built with the latest Go toolchain, so no need to publish new binaries after an updated Go toolchain is released.
Verify reproducibility: Configure gobuild to check against other gobuild instances with different configuration to build trust that your binaries are indeed reproducible.
Caveats
A central service like gobuilds.org that provides binaries is an attractive target for attackers. By only building code available through the Go module proxy, and only building with official Go toolchains, the options for attack are limited. Further security measures are the isolation of the gobuild proces and of the build commands (minimal file system view, mostly read-only; limited network; disallowing escalation of privileges).
The transparency log is only used when downloading binaries using the "gobuild get" command, which uses and updates the users local cache of the signed append-only transparency log with hashes of built binaries. If users only download binaries through the convenient web interface, no verification of the transparency log takes place. The transparency log gives the option of verification, that alone may give users confidence the binaries are not tampered with. A nice way of continuously verifying that a gobuild instance, such as gobuilds.org, is behaving correctly is to set up your own gobuild instance that uses gobuilds.org as URL to verify builds against.
Gobuild will build binaries with different (typically newer) Go toolchains than an author has tested their software with. So those binary are essentially untested. This may cause bugs. However, point releases typically contains only stability/security fixes that don't normally cause issues and are desired. The Go 1 compatibility promise means code will typically work as intended with new Go toolchain versions. But an author can always link to a build with a specific Go toolchain version. A user simply has the additional option to download a build by a newer Go toolchain version.
gobuild v0.0.17 go1.19.1
Recommend
-
250
HTTP(S) Proxy in Golang in less than 10...
-
121
proxy_pool - ip proxy pool
-
140
什么是代理模式 代理模式(英语:Proxy Pattern)是程序设计中的一种设计模式。 所谓的代理者是指一个类别可以作为其它东西的接口。代理者可以作任何东西的接口:网络连接、内存中的大对象、文件或其它昂贵或无法复制的资源。 著名的代理模式例子为引用
-
152
proxy_set_header 允许重新定义或者添加发往后端服务器的请求头。value可以包含文本、变量或者它们的组合。 当且仅当当前配置级别中没有定义proxy_set_header指令时,会从上面的级别继承配置。 默认情况下,只有两个请求头会被重新定义:proxy_set_header...
-
64
GitHub is where people build software. More than 28 million people use GitHub to discover, fork, and contribute to over 85 million projects.
-
76
README.md Shuttle
-
39
一. Go module引入的幸福与“无奈” 在 《Go 1.11中值得关注的几个变化》 一文中,我们知道了Go语言通过引入
-
31
在前面的文章,我们介绍了 Go Modules 。Go module支持了Versioned Go,并初步解决了包依赖管理的问题。 新的工作模式也带来了一些...
-
45
-
11
Module ngx_http_proxy_module The ngx_http_proxy_module module allows passing requests to another server. Example Configurationlocation / { proxy_pass http://localhost:8000; pro...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK