Skip to content

cmd/go: Unable to update dependency using insteadOf #34148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
avorima opened this issue Sep 6, 2019 · 6 comments
Closed

cmd/go: Unable to update dependency using insteadOf #34148

avorima opened this issue Sep 6, 2019 · 6 comments
Labels
FrozenDueToAge

Comments

@avorima
Copy link

avorima commented Sep 6, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Only with the latest release.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/mv/.cache/go-build"
GOENV="/home/mv/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/mv/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/mv/.local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/mv/.local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/testmodule/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build026595744=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ cat ~/.gitconfig
[url "git@private.gitlab.com:"]
    insteadOf = "https://private.gitlab.com/"

$ go get private.gitlab.com/project/repo@vX.Y.Z

What did you expect to see?

That the dependency got added to the go.mod.

What did you see instead?

go: finding private.gitlab.com v0.1.0
go: finding private.gitlab.com/project v0.1.0
verifying private.gitlab.com/project/repo@vX.Y.Z: private.gitlab.com/project/repo@v0.1.0: reading https://sum.golang.org/lookup/private.gitlab.com/project/repo@v0.1.0: 410 Gone

After exporting GONOSUMDB=private.gitlab.com/project the dependency was added successfully. This is an unexpected behaviour, which is why we're currently still waiting with upgrading the go version in our environment.
@hyangah
Copy link
Contributor

hyangah commented Sep 6, 2019

Sorry for the inconvenience. I think this is working as intended.
The go1.13 release note mentions this in its very first section.

If you depend on non-public modules, see the documentation for configuring your environment.

GOPRIVATE (or GONOPROXY, GONOSUMDB) are offered to work with private repos.

@avorima
Copy link
Author

avorima commented Sep 9, 2019
edited
Loading

Does this mean that it is intended that private repos are forced to migrate to using these env vars?

@dolmen
Copy link
Contributor

dolmen commented Sep 9, 2019

Fix: export GOPRIVATE=private.gitlab.com

@avorima
Copy link
Author

avorima commented Sep 9, 2019

Yes, we know how to fix it. It's just that it doesn't work OOTB anymore. The GOPROXY env var has a direct fallback. We also tried GOSUMDB=sum.google.org,off and it worked. I don't understand why one has a fallback, while the other doesn't

@hyangah
Copy link
Contributor

hyangah commented Sep 9, 2019

@avorima It's intentional that GOSUMDB doesn't accept fallback. Otherwise, it's possible that MITM attacker blocks your communication temporarily, lets you download different version without getting noticed. By triggering failure, at least, the go command draws your attention and you can check what's going on.

@avorima
Copy link
Author

avorima commented Sep 9, 2019

Ok, I read the sumdb proposal and I understand the security implications of disabled GOSUMDB as fallback. It also answered a few other questions I had about this whole infrastructure.
Thanks for your patience.

@avorima avorima closed this as completed Sep 10, 2019
@golang golang locked and limited conversation to collaborators Sep 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dolmen @hyangah @gopherbot @avorima