[Buildroot] [PATCH v2 1/2] package/pkg-golang.mk: make GOPROXY configurable

yann.morin at orange.com yann.morin at orange.com
Tue Oct 21 06:44:13 UTC 2025 

James, All,

On 2025-10-20 23:49 -0600, James Hilliard spake thusly:
> On Mon, Oct 20, 2025 at 11:36 PM <yann.morin at orange.com> wrote:
[--SNIP--]
> The issue is that it's expected by upstream go packages that all
> hashes are for cached goproxy sources, not direct sources. So
> direct sources breaking wouldn't even be considered an issue
> by an upstream package as they always use cached sources.

Actually, some do care:

    https://github.com/elastic/beats/issues/36949

> > [--SNIP--]
> > > FWIW I've overridden it to "direct" in my own Buildroot branch as I
> > > still prefer from-Git sources.
> > Yes, I believe this should be the default.
> This will break package downloads, package downloads essentially
> always work with the caching goproxy because that's what the go
> ecosystem decided on for their default. Overriding the golang default
> causes a lot of breakage because of this.

Stating "a lot" is a bit of an exageration: in the many years we have
had the go vendoring in Buildroot, tailscale is the first that is
reported to be causing an actual issue (I remember some previous issues
that were eventually resolved one way or the other, but not by using a
proxy).

Speaking of that: do all the go packages we have in Buildroot still
download OK with this change and without using s.b.o (and of course
without a local dl/)?

[--SNIP--]
> > In the end, it shows that using a goproxy is not a magic bullet to solve
> > vendoring when upstream and the goproxy disagree on the content of a
> > version...
> That's not true due to all packages expecting the cached goproxy sources
> to be valid. From my understanding GOPROXY=direct is simply not
> reliable enough for go projects with larger dependency trees.

That's unfortunate, and adds a layer of uncertainty in the mix, allowing
for supply-chain attacks à-la NPM or PyPi to be made against a goproxy.

Regards,
Yann E. MORIN.

-- 
                                        ____________
.-----------------.--------------------:       _    :------------------.
|  Yann E. MORIN  | Real-Time Embedded |    __/ )   | /"\ ASCII RIBBON |
|                 | Software  Designer |  _/ - /'   | \ / CAMPAIGN     |
| +33 638.411.245 '--------------------: (_    `--, |  X  AGAINST      |
| yann.morin (at) orange.com           |_="    ,--' | / \ HTML MAIL    |
'--------------------------------------:______/_____:------------------'

____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

More information about the buildroot mailing list