Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go/internal/modfetch: add GOINSECURE #35357

Closed
wants to merge 1 commit into from

Conversation

witchard
Copy link
Contributor

@witchard witchard commented Nov 4, 2019

Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project (if not, look below for help). Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed (or fixed any issues), please reply here with @googlebot I signed it! and we'll verify it.


What to do if you already signed the CLA

Individual signers
Corporate signers

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added the cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. label Nov 4, 2019
@witchard
Copy link
Contributor Author

witchard commented Nov 4, 2019

I think I have signed the CLA now.

Also, I was very confused about how the script tests work to actually test this - are there some pointers somewhere on how I would run a script test with a custom webserver (that isn't secure!)?

@witchard
Copy link
Contributor Author

witchard commented Nov 4, 2019

@googlebot I signed it!

@googlebot
Copy link

CLAs look good, thanks!

ℹ️ Googlers: Go here for more info.

@googlebot googlebot added cla: yes Used by googlebot to label PRs as having a valid CLA. The text of this label should not change. and removed cla: no Used by googlebot to label PRs as having an invalid CLA. The text of this label should not change. labels Nov 4, 2019
@gopherbot
Copy link
Contributor

This PR (HEAD: e0f7e06) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/205238 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link
Contributor

Message from Gobot Gobot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
Within the next week or so, a maintainer will review your change and provide
feedback. See https://golang.org/doc/contribute.html#review for more info and
tips to get your patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11, it means that this CL will be reviewed as part of the next development
cycle. See https://golang.org/s/release for more details.


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 1:

The code change looks good, but this needs a regression test.

cmd/go tests in general belong in src/cmd/go/testdata/script; see the README there for documentation. (You may be able to extend the existing mod_get_insecure_redirect.txt to cover the new code paths.)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 1:

Thanks, I was a bit confused about the script tests so thanks for pointing at an example. I’ll have a go at that when I next get a chance.

Do you think it makes sense that if GOINSECURE is set that should automatically set GONOPROXY for that dependency?

Also, just to check, should I just amend the commit when I modify things; or is it ok to push multiple commits?


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Jay Conrod:

Patch Set 1:

Thanks, I was a bit confused about the script tests so thanks for pointing at an example. I’ll have a go at that when I next get a chance.

Just so you know, the Go 1.14 freeze started yesterday. We'd like pending CLs (except documentation and bug fixes) to be submitted by the following Monday, November 11. So we may hold this for Go 1.15 if it's not ready by then.

Also, just to check, should I just amend the commit when I modify things; or is it ok to push multiple commits?

Either should work.


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 1:

Patch Set 1:

Thanks, I was a bit confused about the script tests so thanks for pointing at an example. I’ll have a go at that when I next get a chance.

Do you think it makes sense that if GOINSECURE is set that should automatically set GONOPROXY for that dependency?

No, I don't think GOINSECURE should imply GONOPROXY.

Consider, for example, a certificate expiration on some host: it is possible that the proxy has already cached most versions from that host, in which case you would prefer to use the proxy for those versions, only falling back to the insecure host for the specific versions that are not in the proxy's cache.

Also, just to check, should I just amend the commit when I modify things; or is it ok to push multiple commits?

I believe that GerritBot squashes all of the commits when pulling in a GitHub PR anyway, and we do the actual reviewing on the Gerrit side, so either approach should be fine.


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 1:

Patch Set 1:

Patch Set 1:

Thanks, I was a bit confused about the script tests so thanks for pointing at an example. I’ll have a go at that when I next get a chance.

Do you think it makes sense that if GOINSECURE is set that should automatically set GONOPROXY for that dependency?

No, I don't think GOINSECURE should imply GONOPROXY.

Consider, for example, a certificate expiration on some host: it is possible that the proxy has already cached most versions from that host, in which case you would prefer to use the proxy for those versions, only falling back to the insecure host for the specific versions that are not in the proxy's cache.

ah yes fair point, and less code too 😊


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

This PR (HEAD: c2eb8af) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/205238 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 2:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 2:

(1 comment)

Patch Set 2:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 2:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 2:

(2 comments)

Patch Set 2:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 2:

(1 comment)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

This PR (HEAD: e8f485a) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/205238 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 3:

(2 comments)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes golang#32966
@gopherbot
Copy link
Contributor

This PR (HEAD: 2c87b30) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/205238 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 4: Run-TryBot+1 Code-Review+2

TRY=linux-386-longtest


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gobot Gobot:

Patch Set 4:

SlowBots beginning. Status page: https://farmer.golang.org/try?commit=c61ec5e1


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gobot Gobot:

Patch Set 4: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/c61ec5e1/linux-386-longtest_af7a51b7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 5: Patch Set 4 was rebased


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 5: Run-TryBot+1


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gobot Gobot:

Patch Set 5:

SlowBots beginning. Status page: https://farmer.golang.org/try?commit=3be39a28


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 5:

Patch Set 4: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/c61ec5e1/linux-386-longtest_af7a51b7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

Out of interest - would it have been sensible for me to keep my branch rebased on master as I was working on it?


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 5:

Patch Set 5:

Patch Set 4: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/c61ec5e1/linux-386-longtest_af7a51b7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

Out of interest - would it have been sensible for me to keep my branch rebased on master as I was working on it?

Normally, absolutely yes.

This week? I'm not sure. (We've been dealing with a lot of runtime regressions this week. 😩)


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Gobot Gobot:

Patch Set 5: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/3be39a28/linux-386-longtest_714d4ae7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from Bryan C. Mills:

Patch Set 5: Code-Review+1

Patch Set 5: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/3be39a28/linux-386-longtest_714d4ae7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

That's a known issue, https://golang.org/issue/35461. From a cmd/go perspective, I think this is good to go, but I'd like to get a second look from Jay before we merge it.

Thanks for the quick turnaround!


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

Message from witchard:

Patch Set 5:

Patch Set 5: Code-Review+1

Patch Set 5: TryBot-Result-1

1 of 21 SlowBots failed:
Failed on linux-386-longtest: https://storage.googleapis.com/go-build-log/3be39a28/linux-386-longtest_714d4ae7.log

Consult https://build.golang.org/ to see whether they are new failures. Keep in mind that TryBots currently test exactly your git commit, without rebasing. If your commit's git parent is old, the failure might've already been fixed.Extra slowbot builds that ran:

  • linux-386-longtest

That's a known issue, https://golang.org/issue/35461. From a cmd/go perspective, I think this is good to go, but I'd like to get a second look from Jay before we merge it.

Thanks for the quick turnaround!

No worries, thanks for you help 😊


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

gopherbot pushed a commit that referenced this pull request Nov 8, 2019
Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

Change-Id: I378920fbd5a4436df0b5af3fb5533e663e2cc758
GitHub-Last-Rev: 2c87b30
GitHub-Pull-Request: #35357
Reviewed-on: https://go-review.googlesource.com/c/go/+/205238
Run-TryBot: Bryan C. Mills <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-by: Jay Conrod <[email protected]>
@gopherbot
Copy link
Contributor

Message from Jay Conrod:

Patch Set 5: Code-Review+2

Looks good, thanks for working on this!


Please don’t reply on this GitHub thread. Visit golang.org/cl/205238.
After addressing review feedback, remember to publish your drafts!

@gopherbot
Copy link
Contributor

This PR is being closed because golang.org/cl/205238 has been merged.

@gopherbot gopherbot closed this Nov 8, 2019
e-nikolov pushed a commit to e-nikolov/json that referenced this pull request Nov 25, 2021
Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

Change-Id: I378920fbd5a4436df0b5af3fb5533e663e2cc758
GitHub-Last-Rev: 2c87b303acbe86e273bd0b8514e338d34794b0d6
GitHub-Pull-Request: golang/go#35357
Reviewed-on: https://go-review.googlesource.com/c/go/+/205238
Run-TryBot: Bryan C. Mills <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-by: Jay Conrod <[email protected]>
e-nikolov pushed a commit to e-nikolov/json that referenced this pull request Nov 25, 2021
Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

Change-Id: I378920fbd5a4436df0b5af3fb5533e663e2cc758
GitHub-Last-Rev: 2c87b303acbe86e273bd0b8514e338d34794b0d6
GitHub-Pull-Request: golang/go#35357
Reviewed-on: https://go-review.googlesource.com/c/go/+/205238
Run-TryBot: Bryan C. Mills <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-by: Jay Conrod <[email protected]>
e-nikolov pushed a commit to e-nikolov/json that referenced this pull request Nov 25, 2021
Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

Change-Id: I378920fbd5a4436df0b5af3fb5533e663e2cc758
GitHub-Last-Rev: 2c87b303acbe86e273bd0b8514e338d34794b0d6
GitHub-Pull-Request: golang/go#35357
Reviewed-on: https://go-review.googlesource.com/c/go/+/205238
Run-TryBot: Bryan C. Mills <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-by: Jay Conrod <[email protected]>
adotkhan pushed a commit to Psiphon-Labs/utls that referenced this pull request Dec 11, 2024
Enables insecure fetching of dependencies whos path matches those specified in
the enironment variable GOINSECURE.

Fixes #32966

Change-Id: I378920fbd5a4436df0b5af3fb5533e663e2cc758
GitHub-Last-Rev: 2c87b303acbe86e273bd0b8514e338d34794b0d6
GitHub-Pull-Request: golang/go#35357
Reviewed-on: https://go-review.googlesource.com/c/go/+/205238
Run-TryBot: Bryan C. Mills <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
Reviewed-by: Jay Conrod <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla: yes Used by googlebot to label PRs as having a valid CLA. The text of this label should not change.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cmd/go: add GOINSECURE for insecure dependencies
3 participants