New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: security fix broke bzr-inside-bzr repos #22157

Closed
rsc opened this Issue Oct 5, 2017 · 7 comments

Comments

Projects
None yet
4 participants
@rsc
Contributor

rsc commented Oct 5, 2017

@arthursapek in #22125 (comment) reports:

This change seems to break go get on a nested bzr package called labix.org/v2/mgo.

Given command go get labix.org/v2/mgo/bson, we get this output:

package labix.org/v2/mgo/bson: directory "/home/emile/go/src/labix.org/v2/mgo" uses bzr, but parent "/home/emile/go/src/labix.org/v2" uses bzr

Same goes for this mirror: go get gopkg.in/mgo.v2/bson

Was the intent here to disable all nested VCS except for git?

Indeed it was, because we are confident about git protecting well enough against git-in-git. I am honestly not as confident in bzr, which seems to have far less attention paid to it. Anything we enable here ends up in the trusted computing base for cmd/go (that is, it allows attacks on cmd/go users), so I'm really pretty reluctant to add this back.

But creating the issue anyway.

@rsc

This comment has been minimized.

Show comment
Hide comment
@rsc

rsc Oct 5, 2017

Contributor

/cc @niemeyer for advice (only bzr user I know)

Contributor

rsc commented Oct 5, 2017

/cc @niemeyer for advice (only bzr user I know)

@dmitshur

This comment has been minimized.

Show comment
Hide comment
@dmitshur

dmitshur Oct 5, 2017

Member

but parent "/home/emile/go/src/labix.org/v2" uses bzr

Is there really a Bazaar repository at the path corresponding to import path labix.org/v2?

Have you verified that the "go-import" tags are correctly served for the labix.org/v2/mgo/bson package? It's possible that the root issue is there, so we should check whether that's the case before considering changes to cmd/go.

When I do curl -i 'https://labix.org/v2?go-get=1', I get 404, so something seems strange.

Member

dmitshur commented Oct 5, 2017

but parent "/home/emile/go/src/labix.org/v2" uses bzr

Is there really a Bazaar repository at the path corresponding to import path labix.org/v2?

Have you verified that the "go-import" tags are correctly served for the labix.org/v2/mgo/bson package? It's possible that the root issue is there, so we should check whether that's the case before considering changes to cmd/go.

When I do curl -i 'https://labix.org/v2?go-get=1', I get 404, so something seems strange.

@gopherbot

This comment has been minimized.

Show comment
Hide comment
@gopherbot

gopherbot Oct 11, 2017

Change https://golang.org/cl/69670 mentions this issue: cmd/go: correct directory used in checkNestedVCS test

gopherbot commented Oct 11, 2017

Change https://golang.org/cl/69670 mentions this issue: cmd/go: correct directory used in checkNestedVCS test

@gopherbot gopherbot closed this in 862b78e Oct 11, 2017

@ianlancetaylor ianlancetaylor added this to the Go1.9.2 milestone Oct 11, 2017

@rsc rsc reopened this Oct 13, 2017

@rsc rsc added the release-blocker label Oct 13, 2017

@rsc

This comment has been minimized.

Show comment
Hide comment
@rsc

rsc Oct 13, 2017

Contributor

CL 69670 OK for Go 1.9.2

Contributor

rsc commented Oct 13, 2017

CL 69670 OK for Go 1.9.2

@gopherbot

This comment has been minimized.

Show comment
Hide comment
@gopherbot

gopherbot Oct 14, 2017

Change https://golang.org/cl/70839 mentions this issue: [release-branch.go1.8] cmd/go: correct directory used in checkNestedVCS test

gopherbot commented Oct 14, 2017

Change https://golang.org/cl/70839 mentions this issue: [release-branch.go1.8] cmd/go: correct directory used in checkNestedVCS test

@gopherbot

This comment has been minimized.

Show comment
Hide comment
@gopherbot

gopherbot Oct 15, 2017

Change https://golang.org/cl/70984 mentions this issue: [release-branch.go1.9] cmd/go: correct directory used in checkNestedVCS test

gopherbot commented Oct 15, 2017

Change https://golang.org/cl/70984 mentions this issue: [release-branch.go1.9] cmd/go: correct directory used in checkNestedVCS test

gopherbot pushed a commit that referenced this issue Oct 25, 2017

[release-branch.go1.8] cmd/go: correct directory used in checkNestedV…
…CS test

This error was not used when using git because nested git is permitted.
Add test using Mercurial, so that at least we have a test, even though
the test is not run by default.

Fixes #22157
Fixes #22201

Change-Id: If521f3c09b0754e00e56fa3cd0364764a57a43ad
Reviewed-on: https://go-review.googlesource.com/69670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/70839
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>

gopherbot pushed a commit that referenced this issue Oct 25, 2017

[release-branch.go1.9] cmd/go: correct directory used in checkNestedV…
…CS test

This error was not used when using git because nested git is permitted.
Add test using Mercurial, so that at least we have a test, even though
the test is not run by default.

Fixes #22157
Fixes #22201

Change-Id: If521f3c09b0754e00e56fa3cd0364764a57a43ad
Reviewed-on: https://go-review.googlesource.com/69670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/70984
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@rsc

This comment has been minimized.

Show comment
Hide comment
@rsc

rsc Oct 26, 2017

Contributor

go1.9.2 has been packaged and includes:

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:21 UTC

Contributor

rsc commented Oct 26, 2017

go1.9.2 has been packaged and includes:

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:21 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment