Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: mention GONOSUMDB if a module is successfully fetched but not in the sum db #32291

Open
tbpg opened this issue May 28, 2019 · 5 comments

Comments

Projects
None yet
5 participants
@tbpg
Copy link
Contributor

commented May 28, 2019

What version of Go are you using (go version)?

$ go version
go version devel +0f897f916a Tue May 28 02:52:39 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/tbp/.cache/go-build"
GOENV="/home/tbp/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/tbp/go"
GOPROXY="https://proxy.golang.org"
GOROOT="/home/tbp/code/gotip"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/tbp/code/gotip/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/bar/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build702923268=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version devel +0f897f916a Tue May 28 02:52:39 2019 +0000 linux/amd64
GOROOT/bin/go tool compile -V: compile version devel +0f897f916a Tue May 28 02:52:39 2019 +0000
uname -sr: Linux 4.19.28-2rodete1-amd64
Distributor ID:	Debian
Description:	Debian GNU/Linux rodete
Release:	rodete
Codename:	rodete
/lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Debian GLIBC 2.24-12) stable release version 2.24, by Roland McGrath et al.

What did you do?

$ GOPROXY=https://proxy.golang.org GONOPROXY=github.com/tbpg go get github.com/tbpg/modules-testing

verifying github.com/tbpg/modules-testing@v0.0.0-20190528133524-a4881321cb96/go.mod: github.com/tbpg/modules-testing@v0.0.0-20190528133524-a4881321cb96/go.mod: reading https://sum.golang.org/lookup/github.com/tbpg/modules-testing@v0.0.0-20190528133524-a4881321cb96: 410 Gone

What did you expect to see?

I'm not sure we should make this change (might not want to make it obvious, for some sense of the word, how to disable the sum db).

The solution, in this case, is to add GONOSUMDB=github.com/tbpg. Could we mention GONOSUMDB in the error message?

What did you see instead?

410 Gone

cc @FiloSottile @bcmills

Related to #32184, which would have prevented this error.

@bcmills

This comment has been minimized.

Copy link
Member

commented May 28, 2019

@bcmills bcmills added this to the Go1.13 milestone May 28, 2019

@bcmills

This comment has been minimized.

Copy link
Member

commented May 28, 2019

I'm on the fence about this one, but suggested that @tbpg file an issue regardless.

We don't want to train users to add GONOSUMDB entries without considering the implications whenever the proxy returns a 404 or 410, but we do want users to be aware of GONOSUMDB when it is actually appropriate.

A missing sumdb entry seems much more likely to result from a private repo than from a genuine MITM attack, so GONOSUMDB is probably going to be the first hit from a Google or StackOverflow search regardless.

@FiloSottile

This comment has been minimized.

Copy link
Member

commented May 29, 2019

At the very least there needs to be a speed bump, like having to click on a link to the wiki. We don't want "here's some error about something checksum, here's the line to get on with your day". For example:

If you are trying to fetch a private module, see https://golang.org/wiki/PrivateModules. Otherwise, please report this issue at https://golang.org/issue/new.

@tbpg tbpg changed the title cmd/go: mention GONOSUMDB if a module is successfully fetched but in the sum db cmd/go: mention GONOSUMDB if a module is successfully fetched but not in the sum db May 31, 2019

@tbpg

This comment has been minimized.

Copy link
Contributor Author

commented Jun 4, 2019

Makes sense to me! Thanks.

Next steps are to figure out the right location for that documentation, write it, then update this error message to link to it. No ETA yet.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

We should definitely detect the 404/410 and print a nicer error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.