Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: pseudoversions can refer to external commits #31191

Open
FiloSottile opened this Issue Apr 1, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@FiloSottile
Copy link
Member

commented Apr 1, 2019

Unfortunately, the two major code hosts used in the Go ecosystem—GitHub and Gerrit—allow anyone to inject commits into any git repository. On GitHub PRs show up in refs/pull/ in the main repo, and in Gerrit CLs show up as refs/changes/. This regularly causes confusion.

This means that they are reachable across the wire. The git policy is that anything reachable from a ref can be fetched remotely. It also means they can be used as preudoversions.

For example, golang.org/x/crypto@v0.0.0-20190330071201-e19e1a02deae is a valid pseudoversion for the unmerged https://go-review.googlesource.com/c/crypto/+/169037/3. It also ranks higher than master, which is older.

The problem is that anyone would take a PR that updates golang.org/x/crypto from v0.0.0-20190325154230-a5d413f7728c to v0.0.0-20190330071201-e19e1a02deae, and the chances that they would review the diff are none. In modules world in particular, using a module delegates trust to its author, but allowing anyone to effectively publish a pseudoversion for any module breaks that trust system.

We need to make sure anything we fetch is reachable from refs/heads or refs/tags.

Besides performance, there is a major drawback to that: if something was reachable but isn't anymore, it won't be possible to fetch it directly anymore. I'm afraid there is no way around it. (Hopefully a proxy might still have it cached.)

This is a superset of #30434: fixing this fixes the unexpected behavior there, too.

/cc @jayconrod @bcmills

@FiloSottile

This comment has been minimized.

Copy link
Member Author

commented Apr 1, 2019

@gopherbot please open backport issues for this. It is a security issue and we want to make sure the entire modules ecosystem will reject the external pseudoversions.

@gopherbot

This comment has been minimized.

Copy link

commented Apr 1, 2019

Backport issue(s) opened: #31195 (for 1.11), #31196 (for 1.12).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@FiloSottile

This comment has been minimized.

Copy link
Member Author

commented Apr 8, 2019

By the way, this came up in a few discussions, but I think the first one to notice the issue might have been @dmitshur.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.