Development

This Week in Programming: Privacy Issues Swirl Around Google’s GoLang Proxy Calls

6 Sep 2019 1:00pm, by

Go 1.13 has hit the mean streets of the internet this past week, and the team highlights features like improvements to number literals, error wrapping, and TLS 1.3 being on by default, also quickly noting that the go command now downloads and authenticates modules using the Go module mirror and Go checksum database by default.

While a relatively minor release, that last point has caught Go developer Matt Farina’s eye, who writes of the new proxy feature that “This could provide problems for proprietary software. Especially those developing competitive solutions to Google and aren’t paying attention.”

So what, exactly, is happening?

This latest version of Go, Farina writes, has it so “the GOPROXY defaults to https://proxy.golang.org,direct” meaning “that commands like go get and go build will attempt to fetch modules from the Go Proxy, which is operated by Google and governed by the Google Privacy Policy.”

Essentially, Farina argues that a company, such as Google, could snoop on what packages a project pulls in and deduce some interesting information on potential competitors and the like.

“Just imagine the details one could piece together with this sort of information. You know one or a set of IPs is pulling a certain set of modules. Some public where you have the details and some private but the names leak a little about them. What could one surmise from this information? Especially if they have other data from other data sources to merge with this.”

While Go offers GOPRIVATE and GONOPROXY environment variables to address this, Farina argues that it’s all about the defaults, writing that “I wouldn’t be surprised if most developers using Go aren’t aware this change is happening and it will silently take effect for them.”

Now, the conversation around the topic on HackerNews is lively, of course, with one commenter seeming to argue that this is a non-issue, pointing out that Node.js, Perl, Python, and Rust all “have a central registry of packages that has the same level of detail in the metadata it can potentially collect as the go proxy does.”

Of course, the difference, Farina argues in the comments, is Google.

“There is a difference between npm, Perl, and the others mentioned and Go. Go is Google with a diverse set of products and services. Many people who use Go build competitive services to Google. What company is using python and building something in competition to the python software foundation? Or something for the others? This difference is worth taking into account. If Go were part of a software foundation like Python this would be a different story.”

For the concerned, the issue hasn’t gone fully unnoticed on the Go team’s end — there’s an issue already created around this, with many arguing that the default proxy is the real issue here. As always, some say, it’s better to opt-in, rather than be required to opt-out. As one commenter on the issue succinctly argues, “the defaults shouldn’t be ‘expose info to a third company/public proxy’ event if that info isn’t too much but import paths.”

This Week in Programming

  • Welcoming Dark Mode — AKA Android 10: Nothing screams “feature made by developers for developers” more than dark themes, amirite? Well, this week harkens the arrival of Android 10, which features dark themes, and much more for you Android developers. Outside of the dark theme support, Android 10 also gives developers foldable support, optional live caption functionality, 5G support, the ability to offer “Smart Replies”, and gesture navigation. Of course, that’s just the surface — Google offers a list of 10 things to know about Android 10 that goes a bit deeper into privacy and security features that come with the latest Android OS. Speaking of which, Google has released the Android 10 source code to Android Open Source Project (AOSP), and shares some credit with the greater ecosystem, noting that “more than 200,000 of you tested early releases on 26 different Beta devices, reporting 20,000 unique issues.”
  • Taking the Perl Out of Perl 6: Some years back now, we took a look at the idea of renaming Perl 6 to save it from terminal unpopularity. Well, that idea has been reborn, as summarized in this blog post by Perl developer Ovid, which asks: Is Perl 6 Being Renamed? The debate has been respawned by the Github issue “Perl” in the name “Perl 6” is confusing and irritating, which was created by Elizabeth (Liz) Mattijsen, one of the core Perl 6 developers. Ovid summarizes “the far, far too terse backstory: the Perl 6 community seems to be split between those who view Perl 6 as a sister language to Perl 5 and those who view Perl 6 as a successor to Perl 5. The Perl 5 community, meanwhile, is split between ‘f*ck yeah’ and ‘f*ck you’.” With this latest request, though, it appears that there is some oomph behind this renaming effort and we may see Perl 6 drop the Perl moniker altogether, in order to finally distance itself from a language that it mostly relates to in name and not function. Or, as the post again summarizes: “Having two programming languages that are sufficiently different to not be source compatible, but only differ in what many perceive to be a version number, is hurting the image of both Perl 5 and Perl 6 in the world.”
  • Running AI on the Edge For Newbs and Pros Alike: If you’re trying to implement AI out on the edge, take a look at the newly available Vision AI Developer Kit first released last year by Microsoft and Qualcomm. The kit includes a camera and the software needed to develop edge solutions, such as “real-time image processing locally on the edge device, and model training and management on Azure.” According to the kit’s description, the camera works with Azure IoT Hub and comes with a default Vision AI module that recognizes 183 different objects. According to the blog post, the kit is really designed for all levels, arriving with “three options for developers to get started, including no code using Custom Vision, an Azure Cognitive Service, custom models with Azure Machine Learning, and the fully integrated development environment provided by Visual Studio Code.”
  • Quarkus Nears Availability: Remember Quarkus, the Kubernetes-native Java we wrote about some time ago? InfoWorld has the story on how Quarkus is ready for testing “before potentially being opened up to developers as a product offering in coming months.” According to the article, the current roadmap has testing finishing up this year, with general availability early next year, with developer tools also on the way, with a developer preview also set for early next year.

Feature image by Miranda Bleijenberg from Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.