hack icon indicating copy to clipboard operation
hack copied to clipboard
verified publisher icon knative

I'm worried people will forget this is turned off and not realize we're exposing ourselves

Open n3wscott opened this issue 5 years ago • 4 comments

I'm worried people will forget this is turned off and not realize we're exposing ourselves

Can we add retries for CI?

Originally posted by @dprotaso in https://github.com/knative/hack/pull/10#issuecomment-720670333

n3wscott avatar Nov 03 '20 18:11 n3wscott

Further discussion: https://knative.slack.com/archives/CCSNR4FCH/p1604425778429100

dprotaso avatar Nov 16 '20 17:11 dprotaso

Slack context is lost please reopen with context whenever

krsna-m avatar Sep 19 '23 14:09 krsna-m

Context:

When we fetch dependencies we were getting 4xx errors because they didn't show up in the module mirror and checksum database (there's a bit of a delay). To avoid this we turned off using the mirror and the checksum db. Doing this opens us up to a potential supply chain attack - since we aren't verifying the sums.

Settings are here: https://go.dev/ref/mod#checksum-database

dprotaso avatar Sep 19 '23 15:09 dprotaso

I think the env var settings let you tweak which modules we do verification on - that could be an minimal option here.

dprotaso avatar Sep 19 '23 15:09 dprotaso