// Because the entries are space-separated, flag values must
// not contain spaces. Flags listed on the command line
// are applied after this list and therefore override it.
+// GOINSECURE
+// Comma-separated list of glob patterns (in the syntax of Go's path.Match)
+// of module path prefixes that should always be fetched in an insecure
+// manner. Only applies to dependencies that are being fetched directly.
// GOOS
// The operating system for which to compile code.
// Examples are linux, darwin, windows, netbsd.
GOPPC64 = envOr("GOPPC64", fmt.Sprintf("%s%d", "power", objabi.GOPPC64))
GOWASM = envOr("GOWASM", fmt.Sprint(objabi.GOWASM))
- GOPROXY = envOr("GOPROXY", "https://proxy.golang.org,direct")
- GOSUMDB = envOr("GOSUMDB", "sum.golang.org")
- GOPRIVATE = Getenv("GOPRIVATE")
- GONOPROXY = envOr("GONOPROXY", GOPRIVATE)
- GONOSUMDB = envOr("GONOSUMDB", GOPRIVATE)
+ GOPROXY = envOr("GOPROXY", "https://proxy.golang.org,direct")
+ GOSUMDB = envOr("GOSUMDB", "sum.golang.org")
+ GOPRIVATE = Getenv("GOPRIVATE")
+ GONOPROXY = envOr("GONOPROXY", GOPRIVATE)
+ GONOSUMDB = envOr("GONOSUMDB", GOPRIVATE)
+ GOINSECURE = Getenv("GOINSECURE")
)
// GetArchEnv returns the name and setting of the
{Name: "GOFLAGS", Value: cfg.Getenv("GOFLAGS")},
{Name: "GOHOSTARCH", Value: runtime.GOARCH},
{Name: "GOHOSTOS", Value: runtime.GOOS},
+ {Name: "GOINSECURE", Value: cfg.GOINSECURE},
{Name: "GONOPROXY", Value: cfg.GONOPROXY},
{Name: "GONOSUMDB", Value: cfg.GONOSUMDB},
{Name: "GOOS", Value: cfg.Goos},
Because the entries are space-separated, flag values must
not contain spaces. Flags listed on the command line
are applied after this list and therefore override it.
+ GOINSECURE
+ Comma-separated list of glob patterns (in the syntax of Go's path.Match)
+ of module path prefixes that should always be fetched in an insecure
+ manner. Only applies to dependencies that are being fetched directly.
GOOS
The operating system for which to compile code.
Examples are linux, darwin, windows, netbsd.
--- /dev/null
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package modfetch
+
+import (
+ "cmd/go/internal/cfg"
+ "cmd/go/internal/get"
+ "cmd/go/internal/str"
+)
+
+// allowInsecure reports whether we are allowed to fetch this path in an insecure manner.
+func allowInsecure(path string) bool {
+ return get.Insecure || str.GlobsMatchPath(cfg.GOINSECURE, path)
+}
func lookupDirect(path string) (Repo, error) {
security := web.SecureOnly
- if get.Insecure {
+
+ if allowInsecure(path) {
security = web.Insecure
}
rr, err := get.RepoRootForImportPath(path, get.PreferMod, security)
// version control system, we ignore meta tags about modules
// and use only direct source control entries (get.IgnoreMod).
security := web.SecureOnly
- if get.Insecure {
+ if allowInsecure(path) {
security = web.Insecure
}
rr, err := get.RepoRootForImportPath(path, get.IgnoreMod, security)
--- /dev/null
+env GO111MODULE=on
+
+# secure fetch should report insecure warning
+cd $WORK/test
+go mod init
+stderr 'redirected .* to insecure URL'
+
+# insecure fetch should not
+env GOINSECURE=*.golang.org
+rm go.mod
+go mod init
+! stderr 'redirected .* to insecure URL'
+
+# insecure fetch invalid path should report insecure warning
+env GOINSECURE=foo.golang.org
+rm go.mod
+go mod init
+stderr 'redirected .* to insecure URL'
+
+-- $WORK/test/dependencies.tsv --
+vcs-test.golang.org/insecure/go/insecure git 6fecd21f7c0c 2019-09-04T18:39:48Z
+
+-- $WORK/test/x.go --
+package x // import "m"
stderr 'redirected .* to insecure URL'
go get -d -insecure vcs-test.golang.org/insecure/go/insecure
+
+# insecure host
+env GOINSECURE=vcs-test.golang.org
+go clean -modcache
+go get -d vcs-test.golang.org/insecure/go/insecure
+
+# insecure glob host
+env GOINSECURE=*.golang.org
+go clean -modcache
+go get -d vcs-test.golang.org/insecure/go/insecure
+
+# insecure multiple host
+env GOINSECURE=somewhere-else.com,*.golang.org
+go clean -modcache
+go get -d vcs-test.golang.org/insecure/go/insecure
+
+# different insecure host does not fetch
+env GOINSECURE=somewhere-else.com
+go clean -modcache
+! go get -d vcs-test.golang.org/insecure/go/insecure
+stderr 'redirected .* to insecure URL'
! go get -d rsc.io/quote@v1.5.2
stderr 504
+# GOINSECURE does not bypass checksum lookup
+env GOINSECURE=rsc.io
+env GOPROXY=$proxy/sumdb-504
+! go get -d rsc.io/quote@v1.5.2
+stderr 504
+
# but -insecure bypasses the checksum lookup entirely
+env GOINSECURE=
go get -d -insecure rsc.io/quote@v1.5.2
# and then it is in go.sum again
GOGCCFLAGS
GOHOSTARCH
GOHOSTOS
+ GOINSECURE
GOMIPS
GOMIPS64
GONOPROXY