> Our internal packaging teams biggest worry is that we don't want someone to download something to their development laptop, compile the code into a standalone binary, then deploy that out to our container platforms.
That's not really a problem with Go but an organizational problem. You don't want people to download stuff from the internet? use a firewall disallowing people from accessing the internet. Anybody can go on github, click on a link and get a zip with some source code. How are you going to deal with that? it has nothing to do to with Go. Either you trust your developers with their intelligence, or you don't and you don't allow them to deploy anything on your container platforms without significant code review from an accredited developer who will be the only one authorized to deploy anything on your container platforms. Le vendredi 2 mars 2018 11:59:13 UTC+6, Brendan O'Dwyer a écrit : > > Yes(technically) our deploys are controlled via gitlab. > > Our internal packaging teams biggest worry is that we don't want someone > to download something to their development laptop, compile the code into a > standalone binary, then deploy that out to our container platforms. > > In our production environment this isn't even an issue because we can > can't even reach out to the internet in builds/deploys because its limited > to only internal locations. Their concern is that in development people > could `go get` packages that are not approved, then deploy those. While > that is super cool and awesome in open source worlds, unfortunately I work > for a bank that really likes to restrict and limit things so that they are > as secure as can be. > > On Wednesday, February 21, 2018 at 4:18:54 PM UTC-6, matthe...@gmail.com > wrote: >> >> Are the builds and deployment controlled? The command “go list” can be >> used to simplify parsing the imports in each package, so a script could >> check that every import is either an allowed standard library package or >> one matching your internal URL. >> >> Matt >> >> On Wednesday, February 21, 2018 at 11:37:35 AM UTC-6, Brendan O'Dwyer >> wrote: >>> >>> My company wants to start using go more, and traditionally when we use >>> java and python, when we package them for the developer laptops we override >>> settings and configs for the installs to point to our internal Artifactory >>> so that we don't have developers using packages that haven't been ok'd for >>> use. I was wondering if there was anyway to do this or configure go to >>> limit what its allowed to import from the open internet with the `go get` >>> command? >>> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.