cmd/go: error not reported for packages in vendor/ in module mode, without vendoring

[jayconrod]

What version of Go are you using (go version)?

$ go version
go version go1.13.7 darwin/amd64

Does this issue reproduce with the latest release?

Yes, also reproduces with 1.14rc1.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jayconrod/Library/Caches/go-build"
GOENV="/Users/jayconrod/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/jayconrod/go"
GOPRIVATE=""
GOPROXY="direct"
GOROOT="/opt/go/installed"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/installed/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/jayconrod/Code/test/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/rq/x0692kqj6ml8cvrhcqh5bswc008xj1/T/go-build248121802=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Created a regular package in a directory named vendor, not created with go mod vendor, not using -mod=vendor.

! go list -deps example.com/m

-- go.mod --
module example.com/m

go 1.14
-- use.go --
package use

import (
	_ "example.com/m/vendor"
	_ "example.com/m/vendor/x"
)
-- vendor/vendor.go --
package vendor
-- vendor/x/x.go --
package x

What did you expect to see?

Errors reported for packages in vendor/ when -mod=vendor is not active.

These are being treated as regular packages. Other modules won't be able to import these packages, since vendor directories are excluded from module zip files.

What did you see instead?

go list treats these like regular packages:

$ go list -deps example.com/m
example.com/m/vendor
example.com/m/vendor/x
example.com/m

cc @matloob @bcmills

[bcmills]

The example.com/m/vendor import should (possibly) be allowed regardless of the -mod flag:

go/src/cmd/go/internal/load/pkg.go

Lines 1415 to 1418 in 1c241d2

	// Note that terminating "vendor" elements don't count: "x/vendor" is its own package,
	// not the vendored copy of an import "" (the empty import path).
	// This will allow people to have packages or commands named vendor.
	// This may help reduce breakage, or it may just be confusing. We'll see.

But accepting example.com/m/vendor/x seems like a bug.

[matloob]

Hm, I'm on the "it may just be confusing" side: my intuition is either

*  "vendor" is meaningless outside of mod=vendor mode, acting like a normal package (which would be confusing be cause mod=vendor would result in a different build when it's on or off)

or better
* the only directory that's allowed to be named vendor must be in the root directory of a module, and when mod=vendor is off, all the source contained in that directory is ignored, and an error is reported if code is contained directly in vendor/