TL;DR Given a Go module, assuming that I have already done `go mod download`: Is it possible to prevent network access if I delete the entire `$GOPATH/pkg/mod/cache`?
Hello, I'm a member of Nix <https://nixos.org>, and I'm attempting to create a new infrastructure for packaging Go modules <https://github.com/NixOS/nixpkgs/pull/57080> that rely on the reproducibility of Go modules. I have the following requirements: 1. Nix comes with Sandbox for building packages. 2. Sandbox does not allow writing to HOME. There are three places where the write is allowed: $NIX_BUILD_TOP, $TMPDIR and output directories such as $out and $bin. 3. Sandbox does not allow access to the internet, except if the package is intended to fetch dependencies, we call these packages a `fetcher` 4. Every source of input, be it a tarball or dependencies created by a `fetcher`, must be compared against a fixed hash for security purposes. Given the requirements above, I was able to work with Go modules by setting GOCACHE to `$TMPDIR/go-cache` and by setting GOPATH to `$NIX_BUILD_TOP/go` (<off-topic>Please have a different variable control where Go modules are downloaded, GOPATH is confusing</off-topic>). I'm currently trying to figure out how to get go-modules to work without network access. Here's the algorithm for the packaging: Please note that a derivation is just another name for a package. 1. Intermediate derivation: Fetch all the dependencies. This is done by setting GOPATH to a temporary directory and run `go mod download`. I then proceed to remove `$GOPATH/pkg/mod/cache` before copying the entire `$GOPATH/pkg/mod` to the output of this derivation. 2. Final derivation: Build the go module. This is done by setting GOPATH to a temporary directory and restore the output of the intermediate derivation to `$GOPATH/pkg/mod`. However, this is where Go attempt network access to re-download the modules and fails to build. I am willing to patch Go in order for it to assume that the modules are available under pkg/mod guarded by an environment variable such as __NIX_GO_SKIP_MOD_DOWNLOAD but I do not know where I can do that. Can someone please point me in the right direction? Thank you, Wael -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
