



Sourcehut, a code hosting service similar to GitHub, GitLab, Gitea, etc., plans to start blocking Go Module Mirror, a proxy that fetches and caches code from Git servers.

Starting February 24th, developers running go get or similar commands on Go packages to import modules from the SourceHut repository will see an error message. To solve this, you have to use a workaround to get the desired code.

In a blog post on Monday, Sourcehut founder Drew DeVault explained that the decision was due to the behavior of Google’s Go module mirror. He described it last year as a distributed denial of service attack to persuade Google’s Go team to change. operation of that system.

According to DeVault, the Go module proxy not only handles user requests via the go get command, but also replicates entire git repositories on its own from multiple servers that don’t coordinate requests.

Go Module Mirror can make as many as 2,500 of these requests per hour, often combined with up to 12 clone operations. According to DeVault, these are highly redundant and a single git repository can be fetched over 100 times per hour.

That’s about 70% of Sourcehut’s outbound traffic, and a single module drives up to 4 GiB of daily traffic from Google.

“The cost of incurring this traffic is no longer acceptable and the Go team has made no attempt to fix the issue during this time,” DeVault wrote. “We don’t want to inconvenience Go users, but the burden and cost of continuing to support this feature is too high.”

DeVault opened a GitHub issue on February 24, 2021 to persuade Google’s Go engineers to address the issue, but after two years of back and forth, the mitigations introduced were minimal. has only had an impact on

Other Go module maintainers have also complained about the mindless consumption of computing resources by Go module mirrors.

“Yesterday, Go Module Mirror downloaded 4 gigabytes of data from my server and requested one module over 500 times (logs attached),” developer Ben Lubar posted on May 30, 2021. I am writing in “As far as I know, I’m the only person in the world using this Go module. Any caching or at least rate limiting would be greatly appreciated.”

Russ Cox, Head of Technology for the Go Programming Language at Google, responded to a discussion of the issue on Hacker News, noting that the Go team is working to address the issue.

According to him, Go 1.19 includes a way to download modules with the -reuse flag so that update operations can use less bandwidth by avoiding unmodified data. . According to Cox, the proxy.golang.org service has not yet been revised to support this language change, but it is on the list of work planned for this year.

“On the one hand Sourcehut claims this is a big problem for them, but on the other hand Sourcehut also says they don’t want to make a special case for disabling background updates.” Cox said, citing DeVault’s claims that Google should fix its “wrong solution” and give Sourcehut no special treatment. “The suggestion to disable background refresh until a more complete fix is ​​deployed works for Sourcehut and anyone else struggling with the current load.”

This isn’t the first time Google’s code has been accused of wasting other users’ bandwidth. In August 2020, APNIC, the Asia-Pacific Regional Internet Registry, announced that the Chromium team had decided to combine Google’s browser search keyword input box and URL input box in 2008 as one omnibox. , complained of a huge amount of DNS traffic.

The extra data checks whether network service providers are involved in NXDomain hijacking, captures queries for typographical errors or non-existing domains, and snips them by returning responses associated with its own service. It was the result of browser code designed to differentiate between search terms and URLs by monetizing them. .

At that time, about half of the 60 billion queries per day of DNS root server traffic to root server systems was due to Chromium’s efforts to separate queries from URLs. Google tamed the Query URL Disambiguation Probe in February 2021.

