Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: pseudoversions can refer to external commits #31191
Unfortunately, the two major code hosts used in the Go ecosystem—GitHub and Gerrit—allow anyone to inject commits into any git repository. On GitHub PRs show up in
This means that they are reachable across the wire. The git policy is that anything reachable from a ref can be fetched remotely. It also means they can be used as preudoversions.
The problem is that anyone would take a PR that updates
We need to make sure anything we fetch is reachable from
Besides performance, there is a major drawback to that: if something was reachable but isn't anymore, it won't be possible to fetch it directly anymore. I'm afraid there is no way around it. (Hopefully a proxy might still have it cached.)
This is a superset of #30434: fixing this fixes the unexpected behavior there, too.