Skip to content

Remove GOINSECURE from gomod patch generation#1126

Merged
cpuguy83 merged 1 commit into
project-dalec:mainfrom
cpuguy83:cpuguy83-remove-gomod-goinsecure
Jul 3, 2026
Merged

Remove GOINSECURE from gomod patch generation#1126
cpuguy83 merged 1 commit into
project-dalec:mainfrom
cpuguy83:cpuguy83-remove-gomod-goinsecure

Conversation

@cpuguy83

Copy link
Copy Markdown
Collaborator

Why

The gomod replace/tidy preprocessing step set GOINSECURE to the same host list as GOPRIVATE, silently disabling TLS certificate verification for those hosts.

Investigating its actual behavior:

  • Inert for SSH auth. The git insteadOf rewrite redirects to ssh:// before Go's HTTP client is involved, so there is no TLS path for GOINSECURE to affect.
  • Inconsistently applied. It was only set in the patch/tidy preprocessing step, never in the dependency download step (generator_gomod.go). A private HTTPS host with an untrusted cert would still fail there, so the setting never enabled a working end-to-end scenario.
  • Untested. No test combines a private-auth host with gomod edits and live execution, so nothing exercised it.

In short, it weakened certificate validation without enabling any working behavior. This removes it. GOPRIVATE is retained, so module privacy (skipping proxy/sumdb for the configured hosts) is unchanged.

The gomod replace/tidy preprocessing step set GOINSECURE to the same host
list as GOPRIVATE, silently disabling TLS verification for those hosts.
It was inert for SSH auth (insteadOf rewrites bypass Go's HTTP client) and
was never set in the dependency download step, so it enabled no working
scenario while weakening certificate validation. GOPRIVATE is retained for
module privacy.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Copilot AI review requested due to automatic review settings June 30, 2026 20:09

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes use of GOINSECURE from the go.mod patch/tidy preprocessing path so the preprocessing step no longer disables TLS certificate verification for private module hosts. This aligns behavior with the rest of the build pipeline (which already wasn’t setting GOINSECURE) while keeping GOPRIVATE for proxy/sumdb privacy behavior.

Changes:

  • Stop exporting/propagating GOINSECURE in the gomod patch generation environment.
  • Keep GOPRIVATE host calculation/export as the only Go module privacy-related env var for this step.
  • Update the gomod patch script’s documented expected environment variables accordingly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
scripts/gomod-patch.sh Removes GOINSECURE from the documented/handled env vars; retains GOPRIVATE export only.
preprocess.go Removes goInsecure derivation and no longer sets env["GOINSECURE"] for the gomod patch script.

@cpuguy83 cpuguy83 self-assigned this Jul 1, 2026
@cpuguy83 cpuguy83 merged commit 829e181 into project-dalec:main Jul 3, 2026
50 of 52 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants