Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: downloads follow plain-HTTP redirects even when the -insecure flag is not set [1.12 backport] #31887

Closed
bcmills opened this issue May 7, 2019 · 10 comments

Comments

@bcmills
Copy link
Member

@bcmills bcmills commented May 7, 2019

Per #29618 (comment):

I've been thinking about this some more. I don't think we'll have adequate soak time on the change until after Go 1.13 is released: I suspect that the problems will be in the long tail of packages, and users on the long tail by and large are not testing against HEAD on a nightly basis.

While this is a security issue, I don't think it's major enough to risk breaking long-tail packages at a point release.

I'm going to tentatively schedule the 1.12 backport for a couple of weeks after the 1.13 release, when we'll have a clearer view of just how broken the long tail is.

@bcmills bcmills added this to the Go1.12.6 milestone May 7, 2019
@dmitshur
Copy link
Member

@dmitshur dmitshur commented Jun 7, 2019

I'm going to tentatively schedule the 1.12 backport for a couple of weeks after the 1.13 release, when we'll have a clearer view of just how broken the long tail is.

@bcmills Can you clarify what you meant by "a couple of weeks after the 1.13 release"? After the final 1.13 release (as in "v1.13.0" in semver form), or something else? If so, we should move this to a later 1.12.x milestone.

@bcmills bcmills modified the milestones: Go1.12.6, Go1.12.7 Jun 7, 2019
@bcmills
Copy link
Member Author

@bcmills bcmills commented Jun 7, 2019

After the final 1.13 release. I want folks to be able to go back to a supported 1.12 release as a mitigation if they discover a secure-to-insecure redirect when moving to 1.13.

@toothrot toothrot modified the milestones: Go1.12.7, Go1.12.8 Jul 8, 2019
@toothrot
Copy link
Contributor

@toothrot toothrot commented Jul 8, 2019

Moving to Go1.12.8, as 1.13 is not yet out.

@stefanb
Copy link
Contributor

@stefanb stefanb commented Aug 7, 2019

It seems that this is standing in a way of 1.12.8 release with some urgent bugfixes (eg #33405)
I think this one should be moved to 1.12.9 milestone, to be released after 1.13.

@bcmills
Copy link
Member Author

@bcmills bcmills commented Aug 7, 2019

@stefanb, this is not standing in the way of a release. (If it were, it would be labeled release-blocker.)

@stefanb
Copy link
Contributor

@stefanb stefanb commented Aug 7, 2019

Yep, this is why this should be postponed to the next milestone/release so that 1.12.8 could be released asap and this with the next release (1.12.9) few weeks after 1.13 (it currently has several active release blockers).

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Aug 7, 2019

The point is, changing the milestone of this issue is not going to affect when the 1.12.8 release occurs.

@dmitshur dmitshur modified the milestones: Go1.12.8, Go1.12.9, Go1.12.10 Aug 13, 2019
@bcmills
Copy link
Member Author

@bcmills bcmills commented Sep 4, 2019

If we backport this fix, we should also backport CL 193259 which fixes a regression introduced in it.

@bcmills
Copy link
Member Author

@bcmills bcmills commented Sep 4, 2019

That said, I think this is too complex to backport, given the complication noted in #29591 (comment).

@bcmills
Copy link
Member Author

@bcmills bcmills commented Sep 16, 2019

(Decided not to backport; closing.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.