Yoav Landman is the CTO and co-founder of JFrog sat down with Cloud Native Computing Foundation(CNCF), to talk about GoCenter.
Yoav Landman: GoCenter is a public, free repository for Go open source modules. Basically, Go is going through some transition period by introduction of Go modules, which is a standard for managing packaged artifacts for Go, so basically immutable versions for Go that are reusable. Today the community is lacking metadata about Go modules. What we did at JFrog is, we took those popular open source projects and we created those metadata descriptors and packaged those versions of popular Go modules and offered that in a public repository that anyone can use.
CNCF: Why is this important for developers?
Yoav Landman: I you want to have trust in your build pipeline, then you have to have trust coming from the very beginning, from basically the source that you use to build your software. So, when relying on pure source code with Go or vendoring in your dependencies, you do not guarantee that your Go packages are going to be immutable, meaning that if somebody overwrites a tag or completely wipes out the project, that means that you and I can look at different times and get totally different sources for the same Go module.
And then there’s the question of efficiency. So, if you are doing git checkout or you are doing git clone, essentially, whenever you’re building, that’s not what GitHub, for example, was made for, so you are being inconsiderate and putting a lot of effort with concurrent requests doing your builds against the source repositories. Instead, you can have those package pre-made Go modules offered for you in a reusable fashion, and everyone pointing at the same version, same checksum, of the same Go module, so that’s why.
CNCF: How does JFrog use Go?
Yoav Landman: We are using Go a lot internally. We are using Go to build JFrog Xray, which is a scanning tool. Our open source JFrog CLI is written in Go. Many internal microservices that are actually running inside Artifactory, that is itself written in Java, are Go-based. And we felt this pain ourselves. The fact that our developers, a lot of time, vendored in dependencies or just relied on a certain snapshot in time of the master, no common base and no common dependency manager for Go modules. It was a big pain for us in managing trust and being able to offer reproducible builds across different products and across different teams, so we were very happy to see Go modules coming.
We introduced support for it first in Artifactory, and then we saw that we solved the technical problem of being able to serve Go modules in Artifactory, but we were lacking the ecosystem to support that because all the popular libraries that we know are not modularized yet. So we decided to pick up this task and share it with others.
Everything around the cloud is happening with Go. Kubernetes is written in Go. It’s called the language of the cloud.
Being here at KubeCon NA in Seattle has been great. We get to see so many different customers and to hear from existing customers and new customers about how they’re adopting Kubernetes. We are seeing a lot of our big financial services customers that are going into Kubernetes for production, so that’s usually a good sign that something is catching up very strongly as a standard in the industry.
Watch the video to learn more about howJFrog is using Go.