Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: Unable to update dependency using insteadOf #34148

Closed
avorima opened this issue Sep 6, 2019 · 6 comments
Closed

cmd/go: Unable to update dependency using insteadOf #34148

avorima opened this issue Sep 6, 2019 · 6 comments

Comments

@avorima
Copy link

@avorima avorima commented Sep 6, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Only with the latest release.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mv/.cache/go-build"
GOENV="/home/mv/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/mv/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/mv/.local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/mv/.local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/testmodule/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build026595744=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ cat ~/.gitconfig
[url "git@private.gitlab.com:"]
    insteadOf = "https://private.gitlab.com/"

$ go get private.gitlab.com/project/repo@vX.Y.Z

What did you expect to see?

That the dependency got added to the go.mod.

What did you see instead?

go: finding private.gitlab.com v0.1.0
go: finding private.gitlab.com/project v0.1.0
verifying private.gitlab.com/project/repo@vX.Y.Z: private.gitlab.com/project/repo@v0.1.0: reading https://sum.golang.org/lookup/private.gitlab.com/project/repo@v0.1.0: 410 Gone

After exporting GONOSUMDB=private.gitlab.com/project the dependency was added successfully. This is an unexpected behaviour, which is why we're currently still waiting with upgrading the go version in our environment.

@hyangah

This comment has been minimized.

Copy link
Contributor

@hyangah hyangah commented Sep 6, 2019

Sorry for the inconvenience. I think this is working as intended.
The go1.13 release note mentions this in its very first section.

If you depend on non-public modules, see the documentation for configuring your environment.

GOPRIVATE (or GONOPROXY, GONOSUMDB) are offered to work with private repos.

@avorima

This comment has been minimized.

Copy link
Author

@avorima avorima commented Sep 9, 2019

Does this mean that it is intended that private repos are forced to migrate to using these env vars?

@dolmen

This comment has been minimized.

Copy link

@dolmen dolmen commented Sep 9, 2019

Fix: export GOPRIVATE=private.gitlab.com

@avorima

This comment has been minimized.

Copy link
Author

@avorima avorima commented Sep 9, 2019

Yes, we know how to fix it. It's just that it doesn't work OOTB anymore. The GOPROXY env var has a direct fallback. We also tried GOSUMDB=sum.google.org,off and it worked. I don't understand why one has a fallback, while the other doesn't

@hyangah

This comment has been minimized.

Copy link
Contributor

@hyangah hyangah commented Sep 9, 2019

@avorima It's intentional that GOSUMDB doesn't accept fallback. Otherwise, it's possible that MITM attacker blocks your communication temporarily, lets you download different version without getting noticed. By triggering failure, at least, the go command draws your attention and you can check what's going on.

@avorima

This comment has been minimized.

Copy link
Author

@avorima avorima commented Sep 9, 2019

Ok, I read the sumdb proposal and I understand the security implications of disabled GOSUMDB as fallback. It also answered a few other questions I had about this whole infrastructure.
Thanks for your patience.

@avorima avorima closed this Sep 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.