From: Russ Cox <rsc@golang.org>
Date: Fri, 16 Jun 2023 17:08:23 +0000 (-0400)
Subject: cmd/go: disable sumdb less often for toolchain downloads
X-Git-Tag: go1.21rc2~1^2~3
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=6459494014;p=gostls13.git

cmd/go: disable sumdb less often for toolchain downloads

There is a chicken and egg problem with always requiring
the checksum database for toolchain module downloads, since the
checksum database populates its entry by doing its own module
download.

Don't require the checksum database for GOPROXY=file:/// (for local testing)
and when running on the Go module mirror.

For #60847.

Change-Id: I5d67d585169ae0fa73109df233baae8ba5fe5dd3
Reviewed-on: https://go-review.googlesource.com/c/go/+/503978
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
---

diff --git a/src/cmd/go/internal/modfetch/sumdb.go b/src/cmd/go/internal/modfetch/sumdb.go
index 6e60e7d976..ea7d561d7b 100644
--- a/src/cmd/go/internal/modfetch/sumdb.go
+++ b/src/cmd/go/internal/modfetch/sumdb.go
@@ -34,12 +34,34 @@ import (
 // useSumDB reports whether to use the Go checksum database for the given module.
 func useSumDB(mod module.Version) bool {
 	if mod.Path == "golang.org/toolchain" {
+		must := true
 		// Downloaded toolchains cannot be listed in go.sum,
 		// so we require checksum database lookups even if
 		// GOSUMDB=off or GONOSUMDB matches the pattern.
 		// If GOSUMDB=off, then the eventual lookup will fail
 		// with a good error message.
-		return true
+
+		// Exception #1: using GOPROXY=file:// to test a distpack.
+		if strings.HasPrefix(cfg.GOPROXY, "file://") && !strings.ContainsAny(cfg.GOPROXY, ",|") {
+			must = false
+		}
+		// Exception #2: the Go proxy+checksum database cannot check itself
+		// while doing the initial download.
+		if strings.Contains(os.Getenv("GIT_HTTP_USER_AGENT"), "proxy.golang.org") {
+			must = false
+		}
+
+		// Another potential exception would be GOPROXY=direct,
+		// but that would make toolchain downloads only as secure
+		// as HTTPS, and in particular they'd be susceptible to MITM
+		// attacks on systems with less-than-trustworthy root certificates.
+		// The checksum database provides a stronger guarantee,
+		// so we don't make that exception.
+
+		// Otherwise, require the checksum database.
+		if must {
+			return true
+		}
 	}
 	return cfg.GOSUMDB != "off" && !module.MatchPrefixPatterns(cfg.GONOSUMDB, mod.Path)
 }