Skip to content

[WIP] Enhancement: Added a switch for kpm checksum to work without checksum #606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
zong-zhe opened this issue Feb 26, 2025 · 4 comments
Open

[WIP] Enhancement: Added a switch for kpm checksum to work without checksum #606

zong-zhe opened this issue Feb 26, 2025 · 4 comments
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Milestone
v0.1.0 Release

Comments

@zong-zhe
Copy link
Contributor

Enhancement

At present, kpm needs to make network requests to obtain checksum of tripartite dependencies in the process of managing tripartite dependencies, which may cause the tool to fail to run in offline environment and lead to increased time consumption.

More details: #605

So I looked into go mod similar solution to this problem.

Skip Go Module Checksum Verification

Using GONOSUMDB

What is GONOSUMDB?
  • GONOSUMDB is an environment variable that specifies module paths or patterns for which Go skips checksum validation against sum.golang.org.
  • Use Case: Ideal for private/internal repositories or environments where accessing sum.golang.org is restricted.
Configuration
  • Temporary Setup (current terminal session): 
    export GONOSUMDB="github.com/yourcompany/*,git.example.com"
  • Permanent Setup (add to shell config): 
    echo 'export GONOSUMDB="github.com/yourcompany/*,git.example.com"' >> ~/.bashrc  # or ~/.zshrc
source ~/.bashrc  # reload the configuration
Path Rules
  • Exact Paths: github.com/yourteam/private-lib
  • Wildcards: github.com/yourteam/* (matches all subpaths).
  • Multiple Paths: Separate entries with commas.
Example

For private dependencies:

  • github.com/yourteam/utils
  • git.example.com/internal/auth

Configure:

export GONOSUMDB="github.com/yourteam/*,git.example.com/internal/auth"

Now, all modules under github.com/yourteam and git.example.com/internal/auth will bypass the public checksum database.
@zong-zhe zong-zhe added help wanted Extra attention is needed good first issue Good for newcomers labels Feb 26, 2025
@zong-zhe zong-zhe added this to the v0.1.0 Release milestone Feb 26, 2025
@zong-zhe zong-zhe changed the title [WIP] Enhancement: Added a switch for kpm checksum to work offline [WIP] Enhancement: Added a switch for kpm checksum to work without checksum Feb 26, 2025
@RohanMishra315
Copy link

Hey @zong-zhe could i take it ?

@gitatractivo
Copy link

/assign

@suyiiyii
Copy link

Now, all modules under github.com/yourteam and git.example.com/internal/auth will bypass the public checksum database.

@zong-zhe hello, i would like to know if KPM has a centrailzed checksum db. If not, what is the significance of skipping the checksum check?
In a purely internal network environment, is it vaild to skip such checks? If so, is it related to this #329 ?

@suyiiyii suyiiyii mentioned this issue Mar 22, 2025
Open
16 tasks
@zong-zhe
Copy link
Contributor Author

hello, i would like to know if KPM has a centrailzed checksum db. If not, what is the significance of skipping the checksum check?
In a purely internal network environment, is it vaild to skip such checks? If so, is it related to this #329 ?

Hi @suyiiyii 😄

kpm does not currently have a centralized checksum repository; kpm currently uses OCI manifest to store checksums.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
KCL 2025
Status: No status
Milestone
v0.1.0 Release
Development

No branches or pull requests
4 participants
@zong-zhe @gitatractivo @RohanMishra315 @suyiiyii