[go-nuts] Fuzz testing is now beta ready!

2021-06-03 Thread Katie Hockman 
Hi gophers!

Native fuzzing is ready for beta testing in its development branch,
dev.fuzz! Check out https://blog.golang.org/fuzz-beta for more details.

Fuzzing is a type of automated testing which continuously manipulates
inputs to a program to find issues such as panics or bugs. These
semi-random data mutations can discover new code coverage that existing
unit tests may miss, and uncover edge case bugs which would otherwise go
unnoticed. Since fuzzing can reach these edge cases, fuzz testing is
particularly valuable for finding security exploits and vulnerabilities.

See golang.org/s/draft-fuzzing-design for more details about this feature.

Best,
Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvd-MJY2PAoXn7jsXvZW-%2BbPr1MTRyzCmDJvYZ2wi2VRAg%40mail.gmail.com.

[go-nuts] [security] Go 1.16.1 and Go 1.15.9 are released

2021-03-10 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.16.1 and Go 1.15.9 to address recently reported
security issues. We recommend that all users update to one of these
releases (if you’re not sure which, choose Go 1.16.1).


   - encoding/xml: infinite loop when using xml.NewTokenDecoder with a
   custom TokenReader

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.

Thanks to Sam Whited for reporting this issue.

This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.


   - archive/zip: panic when calling Reader.Open

The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with “../”.

This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.

The upcoming minor releases of Go 1.16.2 and 1.15.10 will also include the
fixes above.

Downloads are available at https://golang.org/dl for all supported
platforms.

Note: we are proposing a new security policy for vulnerabilities in Go
releases. Join the discussion at golang.org/issue/44918.

Thank you,

Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvdUGzto375BNFBOsQKGRjqtQx0Y_2W2HZBSTTpXfVS2uA%40mail.gmail.com.

[go-nuts] [security] Go 1.16.1 and Go 1.15.9 pre-announcement

2021-03-05 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.16.1 and Go 1.15.9 on Wednesday, March 10.

These are minor releases that include security fixes.



Following our policy at https://golang.org/security,

this is the pre-announcement of those releases.



Cheers,

Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvd8Cm8UGhovmDV_atQO3MHLjLQ1Nu0YeqXPi6b8g_DqGw%40mail.gmail.com.

[go-nuts] [security] Go 1.15.5 and Go 1.14.12 are released

2020-11-12 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.15.5 and Go 1.14.12 to address recently reported
security issues. We recommend that all users update to one of these
releases (if you’re not sure which, choose Go 1.15.5).

   - math/big: panic during recursive division of very large numbers

A number of math/big.Int  methods (Div,
Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD)
can panic when provided crafted large inputs. For the panic to happen, the
divisor or modulo argument must be larger than 3168 bits (on 32-bit
architectures) or 6336 bits (on 64-bit architectures). Multiple math/big.Rat
 methods are similarly affected.

crypto/rsa.VerifyPSS ,
crypto/rsa.VerifyPKCS1v15 ,
and crypto/dsa.Verify  may panic when
provided crafted public keys and signatures. crypto/ecdsa and
crypto/elliptic operations may only be affected if custom CurveParams
 with unusually large field
sizes (several times larger than the largest supported curve, P-521) are in
use. Using crypto/x509.Verify on a crafted X.509 certificate chain can lead
to a panic, even if the certificates don’t chain to a trusted root. The
chain can be delivered via a crypto/tls connection to a client, or to a
server that accepts and verifies client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept
client certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request or during a golang.org/x/crypto/otr conversation. Parsing a
golang.org/x/crypto/openpgp Entity or verifying a signature may crash.
Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host
key, while a server could panic if either PublicKeyCallback accepts a
malformed public key, or if IsUserAuthority accepts a certificate with a
malformed public key.

Thanks to the Go Ethereum team and the OSS-Fuzz project for reporting this.
Thanks to Rémy Oudompheng and Robert Griesemer for their help developing
and validating the fix.

This issue is CVE-2020-28362 and Go issue golang.org/issue/42552.


   - cmd/go: arbitrary code execution at build time through cgo

The go command may execute arbitrary code at build time when cgo is in use.
This may occur when running go get on a malicious package, or any other
command that builds untrusted code.


This can be caused by malicious gcc flags specified via a #cgo directive,
or by a malicious symbol name in a linked object file.


Thanks to Imre Rad  and to
Chris Brown and Tempus Ex respectively for reporting these issues.


These issues are CVE-2020-28367 and CVE-2020-28366, and Go issues
golang.org/issue/42556 and golang.org/issue/42559 respectively.


Downloads are available at https://golang.org/dl for all supported
platforms.

Thank you,
Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvff%2BxGg%2B_mLnfHDJndLgJPEmXnPrLR-Fc455Jb5KX8cfw%40mail.gmail.com.

[go-nuts] [security] Go 1.15.5 and Go 1.14.12 pre-announcement

2020-11-09 Thread Katie Hockman 
Hello gophers,


We plan to issue Go 1.15.5 and Go 1.14.12 on Thursday, November 12.

These are minor releases that include security fixes.



Following our policy at https://golang.org/security,

this is the pre-announcement of those releases.



Cheers,

Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBveKpuCNxc5ZE1j9xvSs7qBGYFArgcixUCG5BdC_wTOayw%40mail.gmail.com.

[go-nuts] [security] Go 1.15.1 and Go 1.14.8 pre-announcement

2020-08-27 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.15.1 and Go 1.14.8 on Tuesday, September 1.
These are minor releases that include a security fix.

Following our policy at https://golang.org/security, this is the
pre-announcement of those releases.

Cheers,
Roberto and Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvfPd%2BFJBRMTwDWUti4oBHpMx_x3a1PDLMxP%3D6yQTYv%2BPQ%40mail.gmail.com.

[go-nuts] [security] Go 1.14.7 and Go 1.13.15 are released

2020-08-06 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.14.7 and Go 1.13.15 to address a recently
reported security issue. We recommend that all users update to one of these
releases (if you’re not sure which, choose Go 1.14.7).

   - encoding/binary: ReadUvarint and ReadVarint can read an unlimited
   number of bytes from invalid inputs

Certain invalid inputs to ReadUvarint or ReadVarint could cause those
functions to read an unlimited number of bytes from the ByteReader argument
before returning an error. This could lead to processing more input than
expected when the caller is reading directly from a network and depends on
ReadUvarint and ReadVarint only consuming a small, bounded number of bytes,
even from invalid inputs.

With the update, ReadUvarint and ReadVarint now always return after
consuming a bounded number of bytes (specifically, MaxVarintLen64, which is
10). The result being returned has not changed; the functions merely detect
and return some errors without reading as much input.

Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van
Loon for reporting this issue.

This issue is CVE-2020-16845 and Go issue golang.org/issue/40618.


The upcoming Go 1.15rc2 release will also include the fix above.

Downloads are available at https://golang.org/dl for all supported
platforms.

Thank you,
Katie and Filippo on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvdg%3DL0AFR7EiPtGP-%3DSbS-6PzeGNVzw3oPYJc8qhix1ig%40mail.gmail.com.

[go-nuts] [security] Go 1.14.7 and Go 1.13.15 pre-announcement

2020-08-03 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.14.7 and Go 1.13.15 on Thursday, August 6.

These are minor releases that include a security fix.



Following our policy at https://golang.org/security,

this is the pre-announcement of those releases.



Cheers,

Katie and Filippo on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvexTFXKufbEY%3DQDjoHU4Jw0veLBJTmtvdBj8kkuULv6wQ%40mail.gmail.com.

[go-nuts] [security] Go 1.14.5 and Go 1.13.13 are released

2020-07-14 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.14.5 and Go 1.13.13 to address two recently
reported security issues. We recommend that all users update to one of
these releases (if you’re not sure which, choose Go 1.14.5).

   -

   Data race in certain net/http servers including ReverseProxy


Servers where the Handler concurrently reads the request body and writes a
response can encounter a data race and crash. The httputil.ReverseProxy
Handler is affected.
Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay
Kauzlaric, and Gabe Rosenhouse for reporting this issue.
This issue is CVE-2020-15586 and Go issue golang.org/issue/34902.



   -

   X.509 verification ignores provided EKUs on Windows


On Windows, if VerifyOptions.Roots
 is nil,
Certificate.Verify
 does not check
the EKU requirements specified in VerifyOptions.KeyUsages
.
Thanks to Niall Newman for reporting this issue.
This issue is CVE-2020-14039 and Go issue golang.org/issue/39360.


The upcoming Go 1.15rc1 release will also include the fixes above.

We would also like to thank Andy Lindeman, who reported a cross-site
scripting vulnerability and a CSP bypass in pkg.go.dev, now fixed.

Downloads are available at https://golang.org/dl for all supported
platforms.

Thank you,

Katie and Filippo on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvdYO0D-Ri0i_wY-%2BvSPdHa8yGbEwfos4Nu5mZa9YQQrKQ%40mail.gmail.com.

[go-nuts] [security] Go 1.14.5 and Go 1.13.13 are released

2020-07-14 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.14.5 and Go 1.13.13 to address two recently
reported security issues. We recommend that all users update to one of
these releases (if you’re not sure which, choose Go 1.14.5).


   -

   Data race in certain net/http servers including ReverseProxy

   Servers where the Handler concurrently reads the request body and writes
   a response can encounter a data race and crash. The httputil.ReverseProxy
   Handler is affected.

Thanks to Mikael Manukyan, Andrew Kutz, Dave McClure, Tim Downey, Clay
Kauzlaric, and Gabe Rosenhouse for reporting this issue.
This issue is CVE-2020-15586 and Go issue golang.org/issue/34902.



   -

   X.509 verification ignores provided EKUs on Windows

   On Windows, if VerifyOptions.Roots
    is nil,
   Certificate.Verify
    does not
   check the EKU requirements specified in VerifyOptions.KeyUsages
   .

Thanks to Niall Newman for reporting this issue.
This issue is CVE-2020-14039 and Go issue golang.org/issue/39360.


The upcoming Go 1.15rc1 release will also include the fixes above.

We would also like to thank Andy Lindeman, who reported a cross-site
scripting vulnerability and a CSP bypass in pkg.go.dev, now fixed.

Downloads are available at https://golang.org/dl for all supported
platforms.

Thank you,

Katie and Filippo on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvedjXz%2BYaJLmakLJOoDwQ%2B0c%3Dth5PS9H_13pqpKwbHGBA%40mail.gmail.com.

[go-nuts] [security] Go 1.14.5 and Go 1.13.13 pre-announcement

2020-07-09 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.14.5 and Go 1.13.13 on Tuesday, July 14.

These are minor releases that include multiple security fixes.



Following our policy at https://golang.org/security,

this is the pre-announcement of those releases.



Cheers,

Katie and Filippo on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvc1rDdThYyZkAqYvfn40fPKPED1tPb4di8ZpX__GrV29w%40mail.gmail.com.

[go-nuts] [security] Vulnerability in golang.org/x/text/encoding/unicode

2020-06-16 Thread Katie Hockman 
Hello gophers,

Version v0.3.3 of golang.org/x/text fixes a vulnerability in the
golang.org/x/text/encoding/unicode package which could lead to the UTF-16
decoder entering an infinite loop, causing the program to crash or run out
of memory.

An attacker could provide a single byte to a UTF16

decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop
if the String

function on the Decoder is called, or the Decoder is passed to
golang.org/x/text/transform.String
.

transform.String has also been hardened not to enter an infinite loop if a
Transformer
 keeps
returning ErrShortSrc
 even
if atEOF is true.

This issue was first filed as Issue 39491 
by GitHub user abacabadabacaba  and
reported to the security team by Anton Gyllenberg. It is tracked as
CVE-2020-14040.

Cheers,

Katie for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvc82P_AsSDvrDb8b%3D7sbX05vtdxG3n%2BzuvzvrthDCfHXQ%40mail.gmail.com.

[go-nuts] [security] Go 1.13.7 and Go 1.12.16 are released

2020-01-28 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.13.7 and Go 1.12.16 to address recently reported
security issues. We recommend that all users update to one of these
releases (if you’re not sure which, choose Go 1.13.7).

   -

   X.509 certificate validation bypass on Windows 10

   A Windows vulnerability allows attackers to spoof valid certificate
   chains when the system root store is in use. These releases include a
   mitigation for Go applications, but it’s strongly recommended that affected
   users install the Windows security update to protect their system.
   This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.



   -

   Panic in crypto/x509 certificate parsing and
   golang.org/x/crypto/cryptobyte

   On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1
   parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic.
   The malformed certificate can be delivered via a crypto/tls connection
   to a client, or to a server that accepts client certificates. net/http
   clients can be made to crash by an HTTPS server, while net/http servers
   that accept client certificates will recover the panic and are unaffected.
   Thanks to Project Wycheproof  for
   providing the test cases that led to the discovery of this issue.
   The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
   This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
   golang.org/x/crypto/cryptobyte.

The upcoming Go 1.14rc1 release will also include the fixes above.

Downloads are available at https://golang.org/dl for all supported
platforms.

Thank you,

[image: 🐕] Katie and Dmitri on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBve_%2BBVSs%2B6tK8muVRkON09SCrqQcQDp9xUA-%2B27jGva1g%40mail.gmail.com.

[go-nuts] [security] Go 1.12.16 and Go 1.13.7 pre-announcement

2020-01-23 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.12.16 and Go 1.13.7 on Tuesday, January 28.
These are minor releases that include two security fixes.
One mitigates the CVE-2020-0601 certificate verification bypass
 on Windows.
The other affects only 32-bit architectures.

Following our policy at https://golang.org/security,
this is the pre-announcement of those releases.

Cheers,
Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvckysg-kgxGbBAsddystKuMiyg_fCcg%2B4pvYz8EDnsatw%40mail.gmail.com.

[go-nuts] [security] Go 1.13.2 and Go 1.12.11 are released

2019-10-17 Thread Katie Hockman 
Hi gophers,

We have just released Go 1.13.2 and Go 1.12.11 to address a recently
reported security issue. We recommend that all affected users update to one
of these releases (if you’re not sure which, choose Go 1.13.2).

Invalid DSA public keys can cause a panic in dsa.Verify. In particular,
using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a
panic, even if the certificates don’t chain to a trusted root. The chain
can be delivered via a crypto/tls connection to a client, or to a server
that accepts and verifies client certificates. net/http clients can be made
to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.

Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest) CheckSignature on an X.509 certificate
request, parsing a golang.org/x/crypto/openpgp Entity, or during a
golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh
client can panic due to a malformed host key, while a server could panic if
either PublicKeyCallback accepts a malformed public key, or if
IsUserAuthority accepts a certificate  with a malformed public key.

The issue is CVE-2019-17596 and Go issue golang.org/issue/34960.

Thanks to Daniel Mandragona for discovering and reporting this issue. We’d
also like to thank regilero for a previous disclosure of CVE-2019-16276.

The Go 1.13.2 release also includes a fix to the compiler that prevents
improper access to negative slice indexes in rare cases. Affected code, in
which the compiler can prove that the index is zero or negative, would have
resulted in a panic in Go 1.12.11, but could have led to arbitrary memory
read and writes in Go 1.13 and Go 1.13.1. This is Go issue
golang.org/issue/34802.

Downloads are available at https://golang.org/dl for all supported
platforms.

Cheers,
🐕 Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvebr5iqyvAV67Qcu%2Bkfd0A8-GwFemfr_cfAZChF-DDJ5Q%40mail.gmail.com.

[go-nuts] Re: [security] Go 1.13.2 and Go 1.12.11 pre-announcement

2019-10-15 Thread Katie Hockman 
Hello gophers,

As an update, the security releases of Go 1.13.2 and Go 1.12.11 have been
moved to *Thursday, October 17*.
We will use the extra time to ensure the fixes are complete and correct.
Sorry for the inconvenience.

Cheers,
Katie on behalf of the Go team

On Fri, Oct 11, 2019 at 5:21 PM Katie Hockman  wrote:

> Hello gophers,
>
> We plan to issue Go 1.13.2 and Go 1.12.11 on Wednesday, October 16.
> These are minor releases to fix security issues.
>
> Following our policy at https://golang.org/security,
> this is the pre-announcement of those releases.
>
> Cheers,
> Katie on behalf of the Go team
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvdQ3J0E9CyGm8Nv4wmXPOAspgp22VpdMTsWo1_jiOAMsw%40mail.gmail.com.

[go-nuts] Go 1.13.2 and Go 1.12.11 pre-announcement

2019-10-11 Thread Katie Hockman 
Hello gophers,

We plan to issue Go 1.13.2 and Go 1.12.11 on Wednesday, October 16.
These are minor releases to fix security issues.

Following our policy at https://golang.org/security,
this is the pre-announcement of those releases.

Cheers,
Katie on behalf of the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvcEfcU2E%2BRZE9CXW5n%3DPu0W%2Brpq6U-zdW2_Sk-XcQRnFQ%40mail.gmail.com.

[go-nuts] Re: Go Module Mirror and Checksum Database officially launched!

2019-09-03 Thread Katie Hockman 
I'm also excited to share that sum.golang.google.cn is now available to
Chinese users as a mirror of sum.golang.org. You can use this service by
setting GOSUMDB=sum.golang.google.cn in your local environment.

On Thu, Aug 29, 2019 at 2:53 PM Katie Hockman  wrote:

> Hey Gophers!
>
> We have exciting news to share. Our module mirror
> <https://proxy.golang.org>, index <https://index.golang.org>, and checksum
> database <https://sum.golang.org> are now production ready, and will be
> on by default for Go 1.13 module users
> <https://tip.golang.org/doc/go1.13#introduction>! Check out the new blog
> post <https://blog.golang.org/module-mirror-launch> for more details.
>
> Privacy information can be found at proxy.golang.org/privacy, which has
> recently been updated to provide more clarity around what happens to your
> data when you use these services.
>
> Please file issues <https://golang.org/issue/new?title=proxy.golang.org>
> if you spot them or provide feedback with the title prefix
> “proxy.golang.org:” (or index.golang.org, or sum.golang.org). Thanks to
> everyone who has used these services, filed issues, and given us feedback
> over the last few months. We’ve really appreciated it and it’s helped us
> build a more robust service!
>
> Cheers,
> Katie Hockman
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvdShGS7PQr8YPoTggdwAH60vK_ftvgQeo0VpyjVEkT6qA%40mail.gmail.com.

[go-nuts] Go Module Mirror and Checksum Database officially launched!

2019-08-29 Thread Katie Hockman 
Hey Gophers!

We have exciting news to share. Our module mirror <https://proxy.golang.org>,
index <https://index.golang.org>, and checksum database
<https://sum.golang.org> are now production ready, and will be on by
default for Go 1.13 module users
<https://tip.golang.org/doc/go1.13#introduction>! Check out the new blog
post <https://blog.golang.org/module-mirror-launch> for more details.

Privacy information can be found at proxy.golang.org/privacy, which has
recently been updated to provide more clarity around what happens to your
data when you use these services.

Please file issues <https://golang.org/issue/new?title=proxy.golang.org> if
you spot them or provide feedback with the title prefix “proxy.golang.org:”
(or index.golang.org, or sum.golang.org). Thanks to everyone who has used
these services, filed issues, and given us feedback over the last few
months. We’ve really appreciated it and it’s helped us build a more robust
service!

Cheers,
Katie Hockman

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvfCaokdxL3JLZTi%2Btdxy7ENc1DteDvV%3DUMgsWUadpm_pQ%40mail.gmail.com.

Re: [go-nuts] Go Module Mirror and Checksum Database in Beta!

2019-05-31 Thread Katie Hockman 
Thanks for the feedback! There is an issue tracking this here:
https://github.com/golang/go/issues/32343

On Fri, May 31, 2019, 3:17 PM Jim Ancona  wrote:

>
>
> On Thu, May 30, 2019 at 5:14 PM Katie Hockman  wrote:
>
>> Our privacy policy explains how we collect and use your information. The
>> privacy policy for all of these services is proxy.golang.org/privacy.
>>
>
> I tried visiting that page, which redirected to
> https://policies.google.com/privacy Unfortunately that page doesn't
> really help me to understand what data you will collect from
> proxy.golang.org or sum.golang.org and how you might use it. Is there a
> clear and simple explanation of that available? If no, perhaps there should
> be.
>
> Thanks!
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBvc-CxCjsjwtSOMBA-JuyBZo_Ju%2BCbur5TyJmB1gNu5Buw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] Go Module Mirror and Checksum Database in Beta!

2019-05-30 Thread Katie Hockman 
Hey Gophers!



In the blog post Go Modules in 2019 <https://blog.golang.org/modules2019>,
we announced our intent to provide a module mirror for accelerating Go
module downloads, an index for discovering new modules, and a checksum
database for authenticating module content.



We are excited to share that our module mirror, index, and checksum
database are now in beta, and are currently the default at tip for Go 1.13
development branch module-users!



Our privacy policy explains how we collect and use your information. The
privacy policy for all of these services is proxy.golang.org/privacy.



The module mirror at proxy.golang.org serves the go command’s proxy
protocol. The Go 1.13 development tree uses this mirror for all module
downloads by default. See the go command documentation at tip
<https://tip.golang.org/cmd/go/#hdr-Module_downloading_and_verification>
for details. To make earlier versions of the go command use it (when in
module mode), set GOPROXY=https://proxy.golang.org.



The checksum database at sum.golang.org helps verify new downloads from
proxies or direct fetches, serving the URLs described in the Secure the
Public Go Module Ecosystem
<https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md>
proposal. The Go 1.13 development tree checks new module versions against
the checksum database by default. Earlier versions of the go command cannot
directly use the checksum database.

See the go command documentation at tip
<https://tip.golang.org/cmd/go/#hdr-Module_authentication_failures> for
details.



If you are using Go 1.12 or earlier, you can manually check a go.sum file
against the checksum database with gosumcheck
<https://godoc.org/golang.org/x/exp/sumdb/gosumcheck>:



go get golang.org/x/exp/sumdb/gosumcheck

gosumcheck /path/to/go.sum



The module index at index.golang.org serves a feed of module versions in
the order they are discovered. For example, see
https://index.golang.org/index?since=2019-03-04T18:00:15.161182-07:00



We hope you’ll try out these new services! Please file issues
<https://github.com/golang/go/issues/new> if you spot them, with the title
prefix “proxy.golang.org:” (or index.golang.org, or sum.golang.org). We
look forward to hearing about how it’s working for you!

Cheers,

Katie Hockman

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/CALvTBveJGhNQ0x3f6R-_gmXr%2B4fKfdNVvmHbDDC-qM1u_yDwbA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] Go 1.12.1 and Go 1.11.6 are released

2019-03-14 Thread Katie Hockman 
Hello gophers,

We have just released Go versions 1.12.1 and 1.11.6, minor point releases.

These releases include fixes to cgo, the compiler, the go command,

and the fmt, net/smtp, os, path/filepath, sync, and template packages.

View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.12.minor

You can download binary and source distributions from the Go web site:
https://golang.org/dl/

To compile from source using a Git clone, update to the release with
"git checkout go1.12.1" and build as usual.

Thanks to everyone who contributed to the release.

Cheers,
Katie for the Go team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[go-nuts] Go 1.11.1 is released

2018-10-02 Thread Katie Hockman 
Hello gophers,

We have just released Go version 1.11.1, a minor point release.

This release includes fixes to the compiler, documentation, go
command, runtime, and the crypto/x509, encoding/json, go/types, net,
net/http, and reflect packages.

View the release notes for more information:
https://golang.org/doc/devel/release.html#go1.11.minor

You can download binary and source distributions from the Go web site:
https://golang.org/dl/

To compile from source using a Git clone, update to the release with
"git checkout 1.11.1" and build as usual.

Thanks to everyone who contributed to the release.

Cheers,
Katie for the Go Team

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.