On Fri, May 10, 2024 at 2:11 PM Tobias Klausmann <klaus...@schwarzvogel.de> wrote: > > On Fri, 10 May 2024, Ian Lance Taylor wrote: > > This is a choice made by Go. You can override with the -modcacherw > > option to "go build", "go test", "go install", and similar code. You > > can make that option the default by setting GOFLAGS in the environment > > or via "go env GOFLAGS=...". > > > > You can also remove the module cache using "go clean -modcache". > > Thanks for the explanation! What is the rationale for the read-only > perms, though?
It's essential for supply chain security that builds with a specific version of a package always use the same code. It's natural for debugging for people to look at the source code in the module cache. Making that source code read-only removes a class of accidents in which somebody looking at the code in the module cache modifies it, without necessarily realizing that that will affect all builds on that machine that use that package. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcX7x39RKShv%2ByJBt%3DztoQWs1MO%3DcZqiseDtXrsvjBNV3g%40mail.gmail.com.
