SourceHut nixes grabby Go module proxy • Plans to ban The Register.

After taking notice of Google’s complaints, Git-based code host Source Hut will no longer block the Go module mirror as planned.

Here’s the situation: For the past two years, SourceHut has struggled to cope with the volume of data requested by the Go module proxy when developers use the tool to fetch repositories from biz via git clone operations.

When working in Google’s Go programming language, modules consist of a set of Go packages with specific versions bundled with them. running go get Fetch the requested packages along with any new dependencies declared in the command module from the command line interface.

Combining this code with version control can cause delays and tax the repository because the command can change the entire commit history of a repo to resolve the version – whether built or not.

The Go module mirror should work quickly by only requesting the specific metadata or source code it needs.

“A module mirror is a special type of module proxy that caches metadata and source code in its own storage system, allowing the mirror to continue serving source code that is no longer available from the original locations,” Go describes documentation. “This can speed up downloads and save you from running out of dependencies.”

Alas, the proxy turned out to be unethical, asking for more data than a small code hosting firm could reasonably afford. A year ago, SourceHit founder, Drew DeWalt, likened the situation to a distributed denial of service attack. And last month, it committed to banning excessive caching of SourceHut repos on the Go module mirror.

Finally, DeVault’s two-year crusade — documented in detail as a GitHub issue post — has produced results. On Tuesday, updating his Jan. 9 post, he said the Go team had been contacted by the Russia Caucus. After some discussion, the Go team plans to revise this. go Command line tool to support -reuse flag, which will reduce the traffic generated by fetching modules.

“Meanwhile, from the automatic refresh traffic was disabled for SourceHut, which the Go team assures us should have little or no impact on users and which reduces the load on our systems to a manageable level,” DeWalt said. explained.

He also suggested that the Go team recognized that it was responsible for demanding too much from small data hosts.

“The Go Team has decided that automatic refresh behavior is their responsibility, not the responsibility of other operators, so hopefully no other small hosts will be affected as the Go Team enables or disables refresh behavior at its discretion. Will do. Third party operators in mind,” he said.

Therefore, the banning plan is a no-brainer. Go to traffic. There is a green light again.

A Google spokesperson declined to comment, saying only that the details in the Source Hit blog post speak for themselves. ®

Leave a Comment