deprecate using GOPRIVATE in favor of GOGARBLE (#427)
Piggybacking off of GOPRIVATE is great for a number of reasons: * People tend to obfuscate private code, whose package paths will generally be in GOPRIVATE already * Its meaning and syntax are well understood * It allows all the flexibility we need without adding our own env var or config option However, using GOPRIVATE directly has one main drawback. It's fairly common to also want to obfuscate public dependencies, to make the code in private packages even harder to follow. However, using "GOPRIVATE=*" will result in two main downsides: * GONOPROXY defaults to GOPRIVATE, so the proxy would be entirely disabled. Downloading modules, such as when adding or updating dependencies, or when the local cache is cold, can be less reliable. * GONOSUMDB defaults to GOPRIVATE, so the sumdb would be entirely disabled. Adding entries to go.sum, such as when adding or updating dependencies, can be less secure. We will continue to consume GOPRIVATE as a fallback, but we now expect users to set GOGARBLE instead. The new logic is documented in the README. While here, rewrite some uses of "private" with "to obfuscate", to make the code easier to follow and harder to misunderstand. Fixes #276.pull/428/head
parent
a645929151
commit
fceb19f6da
@ -1,19 +1,25 @@
|
||||
# Ensure that "does not match any packages" works with GOPRIVATE and GOGARBLE.
|
||||
env GOGARBLE=match-absolutely/nothing
|
||||
! garble build -o=out ./standalone
|
||||
stderr '^GOGARBLE="match-absolutely/nothing" does not match any packages to be built$'
|
||||
|
||||
env GOGARBLE=
|
||||
env GOPRIVATE=match-absolutely/nothing
|
||||
! garble build -o=out ./standalone
|
||||
stderr '^GOPRIVATE="match-absolutely/nothing" does not match any packages to be built$'
|
||||
stderr '^GOGARBLE="match-absolutely/nothing" does not match any packages to be built$'
|
||||
|
||||
env GOPRIVATE=test/main/imported
|
||||
env GOGARBLE=test/main/imported
|
||||
garble build ./importer
|
||||
|
||||
# Obfuscated packages which import non-obfuscated std packages.
|
||||
# Some of the imported std packages use "import maps" due to vendoring,
|
||||
# and a past bug made this case fail for "garble build".
|
||||
env GOPRIVATE=test/main
|
||||
env GOGARBLE=test/main
|
||||
garble build -o=out ./stdimporter
|
||||
|
||||
[short] stop # rebuilding std is slow
|
||||
|
||||
env GOPRIVATE='*'
|
||||
env GOGARBLE='*'
|
||||
|
||||
# Try garbling all of std, given some std packages.
|
||||
# No need for a main package here; building the std packages directly works the
|
Loading…
Reference in New Issue