1

From go 1.13, go modules uses https://proxy.golang.org/ to cache repositories. Consider that I have a private repository as a go module in github.com/Ihtkas/libraries and I imported the module in another local go code sort.go. When I build the local code with GIT_TERMINAL_PROMPT=1, go builds the sort.go with my login credentials for the local repository. In this case, does go caches the private repository in proxy.golang.com? When someone else imports the same private package and uses valid credentials to access the package, is the package in private repo served from proxy.golang.com with just authentication forwarded to github.com? My exact question is

Does go in anyway hold the private repo code in proxy server?

IhtkaS
  • 1,024
  • 2
  • 11
  • 28
  • 1
    It would be kind of an obvious security hole if `goproxy.golang.org` could capture private git credentials (which are never seen by the proxy in the first place). – JimB Nov 18 '19 at 13:48
  • It need not capture(I mean store the credentials) the credentials in proxy.golang.org. It can just forward or use the credentials when requesting a package from private repository. May be in the name of efficiency, it can just use git for authentication and serve the content from proxy. – IhtkaS Nov 18 '19 at 13:53
  • Git does not forward your private key to the go proxy. Even if git were to communicate with the proxy at all, that's not how PKI works. – JimB Nov 18 '19 at 13:55
  • Username and password given as input while running go get can be transported to proxy.golang.org and the server can use that to fetch the repo in proxy server and serve it from there. – IhtkaS Nov 18 '19 at 14:01
  • These are not explicitly mentioned in the privacy policy in this link https://proxy.golang.org/. I just want to make sure that my private repository is not stored in any other place. – IhtkaS Nov 18 '19 at 14:04
  • 1
    git does not communicate with the proxy. It does not use nor understand the GOPROXY protocol. If you give your username and password to git (which should be using PKI), git is fetching the package, not the go tool. – JimB Nov 18 '19 at 14:07
  • @JimB Thanks for the clarification. So I will assume that private repositories are never cached in proxy.golang.org – IhtkaS Nov 18 '19 at 14:11
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/202574/discussion-between-spartan-and-jimb). – IhtkaS Nov 18 '19 at 14:15
  • When I renamed the repository and compiled the go code in new machine with same code ie referring to old git repository, the package was successfully imported and compiled. So the git should have redirected the old repository to point to new repository. I doubted proxy.golang.org for this reason – IhtkaS Nov 18 '19 at 14:20
  • You can see all the commands the `go` tool is issuing using the `-x` flag, and the proxy is just an http api which you can inspect to see what it contains. – JimB Nov 18 '19 at 14:24
  • 2
    The proxy protocol is described [here](https://golang.org/cmd/go/#hdr-Module_proxy_protocol). The protocol does not provide a way to transmit credentials. It follows that proxy.golang.org cannot access private repositories and therefore does not cache them. – Cerise Limón Nov 18 '19 at 14:31

1 Answers1

4

From https://index.golang.org:

If I don't set GOPRIVATE and request a private module from these services, what leaks? The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn't published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.

With GOPRIVATEworking as described at https://golang.org/cmd/go/#hdr-Module_configuration_for_non_public_modules

The GOPRIVATE environment variable controls which modules the go command considers to be private (not available publicly) and should therefore not use the proxy or checksum database. The variable is a comma-separated list of glob patterns (in the syntax of Go's path.Match) of module path prefixes. For example,

GOPRIVATE=*.corp.example.com,rsc.io/private

causes the go command to treat as private any module with a path prefix matching either pattern, including git.corp.example.com/xyzzy, rsc.io/private, and rsc.io/private/quux.

To sum it up: if it is a private module, the proxy services tries to access it and will fail. I assume Go then will fall back to access it directly, circumventing the proxy altogether. To prevent this roundtrip, add your private repositories to GOPRIVATE and if you still are concerned about it, use something like wireshark to make double sure that your private modules are accessed directly.

Community
  • 1
  • 1
Markus W Mahlberg
  • 17,179
  • 5
  • 56
  • 77