Sharing and protecting Go Source Code


(Fadi Samara) #1

We work with local and remote developers worldwide.

We give all developers access to our Go source code library to develop our projects.

I would like to know if there is a way where we could protect the core libraries from being disclosed but still being used in other part of the projects where they linked to.

We trust our developers but sharing the code remotely makes us thinking how to hide/secure some of the core libraries.

Your help is much appreciated.


(George Calianu) #2

You can use compiled libraries or plugin mechanism for this but your project must be hard modified in this way. For secure acces simply use ssh or vpn connections. Are not to much options to hide source code in the idea of the developers need to use this code :thinking:


(Tamás Gulácsi) #3

If you want to hide the source code, your best option is to not share it, but only as a service: create an interface and provide the access through some client code (for example gRPC to your well secured server).


(Curtis Allyn Green) #4

Microservice architecture, as Tamas has suggested, is a good way to keep things encapsulated and on a need to know. Since you can then manage its service as it’s own project with its own code branch, tests, and build procedures.


(Fadi Samara) #5

Thanks Tamas and Curtis.

If I can be more specific, I would like to have something like this:
Instead of using specific package .go in src, can I use the .a binary of that specific package for developing the code.

instead of having this code:

package main
import (
“net/http”
_ “permission”

I would like to have something like:

package main
import (
“net/http”
_ “pkg/linux_amd64/permission”

of course the above did not compile.

I appreciate your help, as this issue preventing us from opening the environment for external developers/contractors.


(Jakob Borg) #6

What you’re looking for is called a “binary only package” and is sort of vaguely kinda-but-not-really supported. If you google that you’ll get hits for relevant guides, blog posts and issues.

My gut feeling is that approximately nobody uses this, so you may not get enormous amounts of support here.


(Fadi Samara) #7

Looks like your solution is the closest.
Could you please provide more information on how to do this?
Any detail is appreciated mate.
Thanks,


(Norbert Melzer) #8

This would force everyone to be online to use your service and also some folks might have security considerations when submitting their secret data to your service.