Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: all commands that can fetch dependencies should accept the insecure flag #32104

Open
rogpeppe opened this issue May 17, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@rogpeppe
Copy link
Contributor

commented May 17, 2019

go version devel +2e4edf4697 Sun May 12 07:14:09 2019 +0000 linux/amd64

When trying to work around issue #32071, I realised that although almost all of the go subcommands can download dependencies now, you can't allow insecure fetching.
The go get command supports insecure fetching but there's no easy way to make it use the version specified in the current module AFAICS.

Alternatively, it may be sufficient just to add an insecure flag to go mod download.

@bcmills

This comment has been minimized.

Copy link
Member

commented May 17, 2019

@bcmills bcmills added this to the Go1.13 milestone May 17, 2019

@bcmills bcmills added the modules label May 17, 2019

@bcmills

This comment has been minimized.

Copy link
Member

commented May 17, 2019

I really don't want people putting -insecure in their GOFLAGS and ending up doing insecure fetches when they run go build or go test.

I could maybe buy the need for a -insecure flag to go mod download, but I would want to see some compelling concrete reasons for it. (This specific GitHub bug seems likely to either be resolved soon on the GitHub side or receive a workaround in the go command itself, so it doesn't seem all that compelling — and note that you can always clone your dependency by whatever means you like and use an explicit replace directive to relocate it.)

@rogpeppe

This comment has been minimized.

Copy link
Contributor Author

commented May 17, 2019

AFAICS, if go get has an -insecure flag, then go mod download should too. The insecure download is probably more dubious in go get tbh because that more often gets non-sum-checked dependencies, whereas go mod download is more likely to check everything with an existing go.sum file.

I guess it might be possible to allow insecure downloads only if the download can be fully checked by a local go.sum file.

@witchard

This comment has been minimized.

Copy link

commented Jun 22, 2019

How about a GOINSECURE env variable similar to GONOPROXY and GONOSUMDB (https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md). That way you could selectively disable https for specific urls, and remain secure by default?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.