SourceHut, an open source code hosting platform, announced that it will Go Module mirror“Blacklisted” and will disable git access to the Go Module mirror on February 24, 2023.

According to reports, starting from February 24, users are using Go packages that import modules from the SourceHut repository.go getor similar commands, you will encounter an error message similar to the following:


$ go get
go: downloading git.sr.ht/~sircmpwn/foobaz v0.0.0-20230108094957-81402546c10e
go: git.sr.ht/~sircmpwn/foobaz@v0.0.0-20230108094957-81402546c10e: verifying module: git.sr.ht/~sircmpwn/foobaz@v0.0.0-20230108094957-81402546c10e: reading https://sum.golang.org/lookup/git.sr.ht/~sircmpwn/foobaz@v0.0.0-20230108094957-81402546c10e: 404 Not Found
	server response:
	not found: git.sr.ht/~sircmpwn/foobaz@v0.0.0-20230108094957-81402546c10e: invalid version: git ls-remote -q origin in /tmp/gopath/pkg/mod/cache/vcs/568e5edafe93f7887c0b6f718b0f17ea91c63c35822fb28628535f172b5429b7: exit status 128:
		fatal: unable to access 'https://git.sr.ht/~sircmpwn/foobaz/': The requested URL returned error: 429

solution:


$ export GOPRIVATE=git.sr.ht
$ go get # works

For more details, read on.

For Go developers, they need to obtain Go Module through git, so developers usegit.sr.ht/~sircmpwn/dowork” to importThe corresponding repository will be fetched by the toolchain via git to make it available in the user’s Go environment. Every request is routed through the proxy service at proxy.golang.org, which provides a number of features:

  • Provides reliable and fast access to Go Module downloads via Google’s cache
  • Store redundant copies of Go Modules to ensure availability
  • An independent source for the checksum database to record its checksums
  • Provides an index of new Go Modules

But this comes with many disadvantages. For example, most Go developers are unaware that every package they fetch comes with a request to Google’s servers, which means securing a trust relationship with Google to return the real package. Additionally, if the underlying source repository disappears or gets out of sync with the cache, this problem is invisible to Go developers, which could cause their software to depend on modules or versions of modules that no longer exist.

For SourceHut, the proxy service periodically fetches Go packages from source repositories to check for updates. These requests come from many servers that are not coordinated with each other to reduce their work, and can be as frequent as 2500 per hour, often with dozens of clones at a time, and are usually highly redundant: one git repository can be fetched per hour 100+ times.

According to SourceHut, this traffic creates an excessive background workload. They reached out to the Go team to work together on a solution, but without success. Therefore, they have decided to block the Go Module mirror and will restore access to the Go Module mirror after the above issues are resolved.

#Open #source #code #hosting #platform #SourceHut #blocks #Module #mirroring #News Fast Delivery

Leave a Comment

Your email address will not be published. Required fields are marked *