[tor-bugs] #32027 [Applications/Tor Browser]: Bump version of Go to 1.13+

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Oct 10 17:29:16 UTC 2019 

#32027: Bump version of Go to 1.13+
--------------------------------------+---------------------------
 Reporter:  cohosh                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:  snowflake
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+---------------------------

Comment (by dcf):

 Another thing to watch out for in Go 1.13. By default, even commands like
 `go build` will phone home to proxy.golang.org and sum.golang.org. See:
  * https://golang.org/doc/go1.13#modules
  * https://proxy.golang.org/
    > As of Go 1.13, the go command by default downloads and authenticates
 modules using the Go module mirror and Go checksum database.
  * https://golang.org/cmd/go/#hdr-Module_downloading_and_verification
    > The go command can fetch modules from a proxy or connect to source
 control servers directly, according to the setting of the GOPROXY
 environment variable (see 'go help env'). The default setting for GOPROXY
 is "https://proxy.golang.org,direct", which means to try the Go module
 mirror run by Google and fall back to a direct connection if the proxy
 reports that it does not have the module (HTTP error 404 or 410).

 The phone-home behavior is annoying, but probably mostly harmless in the
 rbm context. To disable the proxy.golang.org reporting, you can set
 `GOPROXY=direct` -- but even better for us may be `GOPROXY=off`, which is
 supposed to "disallow downloading modules from any source," which is what
 we want during the offline portion of the build.

 To disable the sum.golang.org reporting, you can set `GOSUMDB=off`.
 https://golang.org/cmd/go/#hdr-Module_authentication_failures
 > If GOSUMDB is set to "off", or if "go get" is invoked with the -insecure
 flag, the checksum database is not consulted, and all unrecognized modules
 are accepted, at the cost of giving up the security guarantee of verified
 repeatable downloads for all modules.

 I personally had problems this week with checksum mismatches using
 go1.13.1 -- it turns out they changed how checksums are calculated with
 respect to symlinks, or something, and invalidated previous checksums. I
 tried clearing my cache and everything, and could not get
 https://github.com/lucas-clemente/quic-go to build using go1.13.1 because
 of checksum mismatches. So if you get "checksum mismatch" errors, it's
 something related to that.
  * https://github.com/golang/go/issues/29278
  *
 https://github.com/search?utf8=%E2%9C%93&q=golang+checksum+mismatch&type=Issues

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32027#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list