packit: set default for GOPROXY

[schuellerf]

The default in our CI is "direct" which is not as stable as the more common https://proxy.golang.org,direct.

This also moves the implementation to the Makefile to have it more central.

[supakeen]

I'll be deferring review of this as we seem to be in gear to replace most of our vendoring scripts/Makefiles with go-vendor-tools as proposed by the Go SIG in Fedora. We plan to discuss this tomorrow.

[mvo5]

Setting to "blocked" based on #86 (comment) - please just remove the label once that discussion has happend

[supakeen]

Since we don't seem to really have time to look into go-vendor-tools I'll unblock this and we can decide here.

[mvo5]

I think this should be closed based on the reasoning in https://github.com/osbuild/image-builder-cli/pull/86/files#r1923834932

If not closed it should follow upstream and use GOPROXY=https://proxy.golang.org,direct - disabling the "gatekeeping" feature would mean if there is a malicious go module we would not get protection from the upstream go proxy (i.e. the default behavior allows the upstream to deny-list known malicious modules which we would disable by using "|" instead of ",").

[schuellerf]

I'm ok with GOPROXY=https://proxy.golang.org,direct this would also improve robustness of CI.
(which basically is now there for packit exactly for this reason)

[mvo5]

I'm ok with GOPROXY=https://proxy.golang.org,direct this would also improve robustness of CI. (which basically is now there for packit exactly for this reason)

I think its fine to set the GOPROXY in our CI but not in the user facing Makefile.

On a fedora system this change will override the system default behavior related to the module loading (which can be inspected via go env GOPROXY and (which is a the go package default not an environment that can be checked via the Makefile). This will lead to inconsistent behavior between running "go build" and "make". I strongly feel it is not our call to make to override the systems choices in our Makefile - either the user decides to override the system defaults on their own for everything or they don't but we should not make this decision (we could try to convince fedora to avoid this change).

[achilleas-k]

I strongly feel it is not our call to make to override the systems choices in our Makefile - either the user decides to override the system defaults on their own for everything or they don't but we should not make this decision (we could try to convince fedora to avoid this change).

Fully agree with this part especially (and the rest of the comment more generally).

please check the changed implementation

[ondrejbudai]

Thank you!

Would it be possible to move go mod vendor into rpm_spec_add_provides_bundle.sh? Since it's a clear prerequisite for the generation process, it imho makes more sense to group these together.

Then we either don't need the makefile target at all, or we can just call it the same as the script: make rpm_spec_add_provides_bundle (I have a bit of underscores vs. dashes dilemma here 😅 ).

Also, please make sure that the commit message, and the PR title match what the change is actually about. Thank you! ❤️

[achilleas-k]

What's the status of this? Let's make a decision and either finish it or close it.