The introduction

Starting with Go 1.13, the Go Module, as a standard package manager in Golang, is automatically enabled at installation and comes with a default GOPROXY.

But for other GOPROXY options, such as JFrog

GoCenter, as well as your own Go Module package, you need to stay safe in the public eye. What configuration should you choose? How do you keep your public and private resources from becoming a tangled knot?

Let’s take a look at what GOPROXY does and how to set one up for a fast, reliable, and secure system.

What is a GOPROXY?

GOPROXY controls the source of Go Module downloads, helping to ensure build certainty and security. (Portal: You can search the JFrog public account for the Go Module, the benefits of the Go Module and the rapid transformation of the Go Module.)

Before the GOPROXY era, when Golang was developed, module dependencies were downloaded directly from source repositories in VCS systems, such as GitHub, Bitbucket, Bazaar, Mercurial, or SVN. Dependencies from third parties are usually downloaded from the common source repos. Private dependencies must be authenticated on the VCS system where they are stored to download module source files.

While the workflow above is widely used, it lacks deterministic and secure builds, as well as two basic requirements of the development process: immutability and usability. Modules can be deleted by authors or edited to modify the current release. While these scenarios are considered bad practices, they do occur quite often, as shown below:







Using GOPROXY

Set up GOPROXY for your Golang development or CI environment by redirecting Go Module download requests to the cache library that GOPROXY points to.

The use of GOPROXY for module dependency management helps to develop and build invariant requirements. By returning the module package from GOPROXY’s cache, it can provide the same return (Go Module module code) for a particular module version requested by the user, even if the module has recently been incorrectly modified in the VCS REPo, ensuring consistent results across multiple builds.

The GOPROXY cache also helps ensure that modules are always available, even if the original modules in the VCS REPo have been destroyed.

There are different ways to use GOPROXY, depending on which source you want to rely on to use the Go Module. There are usually public GOPROXY, private Go Module, and private GOPROXY


Public GOPROXY

The common GOPROXY is a centralized repository that Golang developers around the world can use. It caches a large number of open source Go modules that are available from VCS project repositories publicly accessible by third parties. Most of these goproxies, such as JFrog GoCenter and goproxy.cn, are available for free to the Golang developer community. The architecture topology of this type of GOPROXY is shown in the following figure, which provides consistency and availability of the Go Module:





To use the public GOPROXY, set the Golang environment variable to its URL:

$ export GOPROXY=https://gocenter.io

This redirects all module download requests to GoCenter. Downloading from a public GOPROXY is much faster than downloading directly from VCS.

In addition to completing the download, a public GOPROXY can provide GoLang developers with more detailed information about the modules it owns. JFrog GoCenter provides a rich UI for searching and accessing security information (such as CVE), non-secure metadata (such as Star count, download statistics, and License information) for modules, and GoSumDB support. This metadata helps users make better decisions when choosing open source Go modules.




Private Go Module

GoLang projects typically use both open source and private modules. Some users use the GOPRIVATE environment variable to specify a list of paths that must bypass GOPROXY and GOSUMDB, and download private modules directly from VCS Repos. For example, you might want to use GoCenter to retrieve all open source modules, but only request private modules from your company’s servers. The diagram below:






To use GoCenter public GOPROXY and private modules, set the Golang environment variable:

$ export GOPROXY=https://gocenter.io,direct

$ export GOPRIVATE=*.internal.mycompany.com

This use of GOPRIVATE also ensures that your use of these private modules will not result from requests to a public GOPROXY on an open network

Checksum database server while “leaking”. Another alternative is to use the GONOSUMDB variable, which contains a reference to the private GO module. While this configuration enables the Go client to resolve both public and private module dependencies, it does not enforce immutability or availability requirements for private modules.


Private GOPROXY

Private GOPROXY is a tool for storing public and private Go modules on your own infrastructure.

Common modules are available through binary repository managers such as JFrog

Artifactory) proxies a public GOPROXY cache to the enterprise internal network.

Private modules can also be cached from VCS repos to the change repository. In this way, the immutability and availability of public and private Go modules can be guaranteed.

In Artifactory, you can combine the above three repositories into one virtual repository by setting up a remote Reposiroty for GoCenter, a remote Go module repository pointing to a private GitHub repository for private modules, and a local Go module repository. Access as a unified user unit, as shown below:





Set GOPROXY for virtual repository named “go” in Artifactory:

$export GOPROXY = “: @ my artifactory. The server/artifactory…

$ export GONOSUMDB=”github.com/mycompany/*,github.com/mypersonal/*”

Because modules in your private VCS Repos have no entries in sum.golang.org’s public checksum database, they must be excluded from the go client’s checks. Setting GONOSUMDB to your private VCS Repos enables this and will prevent the go get commands of these private modules from failing due to checksum mismatches.

In this configuration, you can ensure that references to private modules do not “leak” and that both public and private modules are immutable and available.

Conclusion: Break the broken knot

As you can see, using private GOPROXY provides the most certainty, reliability, and security.

You can also speed up the resolution of module dependencies through the network proximity of your private GOPROXY to your build tool. JFrog Artifactory can be installed where you need it most: on-campus data center deployments or in the cloud, or SaaS versions from public cloud providers.

These benefits are not limited to Golang development. Most technology companies use more than one language and multiple package managers. For example, if the code is written in Golang, then NPM might be used for UI,

Docker might be used for distribution delivery, and Helm might be used to deploy applications on k8.

By supporting more than 27 package types, Artifactory provides a deterministic, stable, and secure software development process for all applications.

More exciting content can be focused on our online class

Search wechat official account: JfrogChina for course notification