On HN it is taken as gospel that any information sent to a server will absolutely compromise your privacy. If anyone points out that the information is trivial or useless the rebuttal is instant - it can be cross referenced with other sources to build a complete profile of you.
If you want to know which Go modules I use, go check out my github. They're listed right there in import statements. If I'm hacking on a project that I want to keep private, I'll disable this feature with a command line flag - easy.
My issue with the paranoid folks in that thread is not that they made no sense (they can't help that), it was they were attacking the person who implemented the feature viciously. He had implemented a feature that a majority of Go developers had been requesting for 5+ years, had done it in a way that improved clean build time, improved security and could easily be disabled or replaced with a private DB. Literally what else could that man have done?
Even though all his work could be verified trivially (Go is open source!), they still chose to attack him.
No it isn't. Please tell me how you achieve security without storing hashes in a DB? The default is only for those who'd prefer not to run their own DB. You are welcome to run your own DB if you want.
Why are you so upset that other people will be using a feature you obviously won't? Why are you upset when this leaks literally no info that your github repo doesn't already?
In the default configuration, the checksum database currently has 657 level-0 tiles. The raw log data associated with each level-0 tile seems to be about 50KB. You could store the entire current checksum database log in about 30 MiB. You could store the level-0 hash tiles in 5 MiB.
This makes sense right? Cargo, the rust package manager, does replicate the entire package index using git and it is ~250 MiB (~150MiB in .git/) (The cargo index stores much more metadata in a more verbose JSON format). It seems like a very reasonable bet considering prior art.
Is there any meaningful difference between what google knows about your modules and what npm knows about js modules? Or what a Debian mirror operator knows about your packages?
I get that Google changed the way go packages work, but I don't understand the difference between that and literally every package manager in existence.
If you want to know which Go modules I use, go check out my github. They're listed right there in import statements. If I'm hacking on a project that I want to keep private, I'll disable this feature with a command line flag - easy.
My issue with the paranoid folks in that thread is not that they made no sense (they can't help that), it was they were attacking the person who implemented the feature viciously. He had implemented a feature that a majority of Go developers had been requesting for 5+ years, had done it in a way that improved clean build time, improved security and could easily be disabled or replaced with a private DB. Literally what else could that man have done?
Even though all his work could be verified trivially (Go is open source!), they still chose to attack him.