Adds deprecation warning for -insecure flag on go get in both modules
and GOPATH mode.
Updates #37519.
Change-Id: Ie2efeeb4a91e6dda92955295969e9715314ae50e
GitHub-Last-Rev:
a9ebe21fe067baa12391ad4f9357d8e5b0cf7051
GitHub-Pull-Request: golang/go#41497
Reviewed-on: https://go-review.googlesource.com/c/go/+/255882
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Trust: Michael Matloob <matloob@golang.org>
Trust: Jay Conrod <jayconrod@google.com>
// this automatically as well.
//
// The -insecure flag permits fetching from repositories and resolving
-// custom domains using insecure schemes such as HTTP. Use with caution. The
-// GOINSECURE environment variable is usually a better alternative, since it
-// provides control over which modules may be retrieved using an insecure scheme.
+// custom domains using insecure schemes such as HTTP. Use with caution.
+// This flag is deprecated and will be removed in a future version of go.
+// The GOINSECURE environment variable is usually a better alternative, since
+// it provides control over which modules may be retrieved using an insecure
+// scheme. It should be noted that the -insecure flag also turns the module
+// checksum validation off. GOINSECURE does not do that, use GONOSUMDB.
// See 'go help environment' for details.
//
// The second step is to download (if needed), build, and install
// before resolving dependencies or building the code.
//
// The -insecure flag permits fetching from repositories and resolving
-// custom domains using insecure schemes such as HTTP. Use with caution. The
-// GOINSECURE environment variable is usually a better alternative, since it
-// provides control over which modules may be retrieved using an insecure scheme.
-// See 'go help environment' for details.
+// custom domains using insecure schemes such as HTTP. Use with caution.
+// This flag is deprecated and will be removed in a future version of go.
+// The GOINSECURE environment variable is usually a better alternative, since
+// it provides control over which modules may be retrieved using an insecure
+// scheme. See 'go help environment' for details.
//
// The -t flag instructs get to also download the packages required to build
// the tests for the specified packages.
before resolving dependencies or building the code.
The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution. The
-GOINSECURE environment variable is usually a better alternative, since it
-provides control over which modules may be retrieved using an insecure scheme.
-See 'go help environment' for details.
+custom domains using insecure schemes such as HTTP. Use with caution.
+This flag is deprecated and will be removed in a future version of go.
+The GOINSECURE environment variable is usually a better alternative, since
+it provides control over which modules may be retrieved using an insecure
+scheme. See 'go help environment' for details.
The -t flag instructs get to also download the packages required to build
the tests for the specified packages.
if *getF && !*getU {
base.Fatalf("go get: cannot use -f flag without -u")
}
+ if cfg.Insecure {
+ fmt.Fprintf(os.Stderr, "go get: -insecure flag is deprecated; see 'go help get' for details\n")
+ }
// Disable any prompting for passwords by Git.
// Only has an effect for 2.3.0 or later, but avoiding
this automatically as well.
The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution. The
-GOINSECURE environment variable is usually a better alternative, since it
-provides control over which modules may be retrieved using an insecure scheme.
+custom domains using insecure schemes such as HTTP. Use with caution.
+This flag is deprecated and will be removed in a future version of go.
+The GOINSECURE environment variable is usually a better alternative, since
+it provides control over which modules may be retrieved using an insecure
+scheme. It should be noted that the -insecure flag also turns the module
+checksum validation off. GOINSECURE does not do that, use GONOSUMDB.
See 'go help environment' for details.
The second step is to download (if needed), build, and install
if *getM {
base.Fatalf("go get: -m flag is no longer supported; consider -d to skip building packages")
}
+ if cfg.Insecure {
+ fmt.Fprintf(os.Stderr, "go get: -insecure flag is deprecated; see 'go help get' for details\n")
+ }
modload.LoadTests = *getT
// Do not allow any updating of go.mod until we've applied
--- /dev/null
+# GOPATH: Set up
+env GO111MODULE=off
+
+# GOPATH: Fetch without insecure, no warning
+! go get test
+! stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# GOPATH: Fetch with insecure, should warn
+! go get -insecure test
+stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# Modules: Set up
+env GO111MODULE=on
+
+# Modules: Fetch without insecure, no warning
+! go get test
+! stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# Modules: Fetch with insecure, should warn
+! go get -insecure test
+stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'