How do you stop people from downloading and deploying arbitrary python or java libs?
I can see that more than a developer policy is needed since it takes a corrupt employee only one try to break the system before they’re caught, and if the employee actually just made a mistake then firing them would be worse than not allowing this at all. In our production environment this isn't even an issue because we can can't > even reach out to the internet in builds/deploys because its limited to > only internal locations. It could be if the developer checks the outside package into the vendor directory. Our internal packaging teams biggest worry is that we don't want someone to > download something to their development laptop, compile the code into a > standalone binary, then deploy that out to our container platforms. I think you’d have to trust anybody that has this power. Perhaps deployment can be limited to only the official build channel? Matt On Friday, March 2, 2018 at 9:29:13 AM UTC-6, Brendan O'Dwyer wrote: > > Yes(technically) our deploys are controlled via gitlab. > > Our internal packaging teams biggest worry is that we don't want someone > to download something to their development laptop, compile the code into a > standalone binary, then deploy that out to our container platforms. > > In our production environment this isn't even an issue because we can > can't even reach out to the internet in builds/deploys because its limited > to only internal locations. Their concern is that in development people > could `go get` packages that are not approved, then deploy those. While > that is super cool and awesome in open source worlds, unfortunately I work > for a bank that really likes to restrict and limit things so that they are > as secure as can be. > > On Wednesday, February 21, 2018 at 4:18:54 PM UTC-6, matthe...@gmail.com > wrote: >> >> Are the builds and deployment controlled? The command “go list” can be >> used to simplify parsing the imports in each package, so a script could >> check that every import is either an allowed standard library package or >> one matching your internal URL. >> >> Matt >> >> On Wednesday, February 21, 2018 at 11:37:35 AM UTC-6, Brendan O'Dwyer >> wrote: >>> >>> My company wants to start using go more, and traditionally when we use >>> java and python, when we package them for the developer laptops we override >>> settings and configs for the installs to point to our internal Artifactory >>> so that we don't have developers using packages that haven't been ok'd for >>> use. I was wondering if there was anyway to do this or configure go to >>> limit what its allowed to import from the open internet with the `go get` >>> command? >>> >> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
