Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: should GOINSECURE imply GONOSUMDB? #38108

Closed
perillo opened this issue Mar 27, 2020 · 7 comments
Closed

cmd/go: should GOINSECURE imply GONOSUMDB? #38108

perillo opened this issue Mar 27, 2020 · 7 comments
Labels
FrozenDueToAge GoCommand cmd/go NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
Unplanned

Comments

@perillo
Copy link
Contributor

perillo commented Mar 27, 2020
edited

What version of Go are you using (go version)?

$ go version
go version go1.14.1 linux/amd64

Does this issue reproduce with the latest release?

Yes.
It also reproduces with the current gotip.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN="/home/manlio/.local/bin"
GOCACHE="/home/manlio/.cache/go-build"
GOENV="/home/manlio/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE="*.local"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/manlio/.local/lib/go:/home/manlio/src/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build165827450=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.14.1 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.14.1
uname -sr: Linux 5.5.11-arch1-1
/usr/lib/libc.so.6: GNU C Library (GNU libc) stable release version 2.31.
gdb --version: GNU gdb (GDB) 9.1

What did you do?

The documentation in https://golang.org/pkg/cmd/go/#hdr-Module_authentication_failures says

If GOSUMDB is set to "off", or if "go get" is invoked with the -insecure flag, the checksum database is not consulted, and all unrecognized modules are accepted, at the cost of giving up the security guarantee of verified repeatable downloads for all modules

However when GOINSECURE is set for a module, GOSUMDB is consulted for that module.

If #37519 is implemented, then GOINSECURE will have a different semantic compared to the -insecure flag.

Thanks.
@andybons andybons added GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Mar 27, 2020
@andybons andybons added this to the Unplanned milestone Mar 27, 2020
@andybons
Copy link
Member

@bcmills @matloob @jayconrod

@bcmills bcmills changed the title cmd/go: go get should not consult GOSUMDB with GOINSECURE cmd/go: should GOINSECURE imply GONOSUMDB? Mar 27, 2020
@bcmills bcmills added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label Mar 27, 2020
@bcmills bcmills modified the milestones: Unplanned, Backlog Mar 27, 2020
@gopherbot gopherbot removed the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Mar 27, 2020
@bcmills
Copy link
Contributor

bcmills commented Mar 27, 2020

@FiloSottile, do you have any insight on this?

@bcmills
Copy link
Contributor

bcmills commented Mar 27, 2020

I'm inclined to say that GOINSECURE and GONOSUMDB (which controls which modules are checked in the sumdb) should be independent.

Here's my reasoning: if you are blocked from an HTTPS connection to the origin, but the sumdb server is able to fetch from the origin via HTTPS, then the origin can serve a plain-HTTP response to you and you can combine that with the checksum from the database to obtain a trustworthy copy of the module, even if that module is not available from any proxy that you can reach. (Recall that a proxy can provide access to signed sum.golang.org checksums even if proxy.golang.org is blocked.)

@bcmills
Copy link
Contributor

bcmills commented Mar 27, 2020

Or, to put it another way: the difference between GOINSECURE and the -insecure flag is intentional. GOINSECURE provides very tightly-targeted exceptions for specific problems, whereas -insecure is one big hammer that disables everything.

Since you can also set GONOSUMDB (perhaps via GOPRIVATE), you can still fetch any module that you would have been able to fetch using -insecure — you just have to explicitly disable the two layers of security (TLS signatures and module checksums) independently.

@bcmills bcmills modified the milestones: Backlog, Unplanned Mar 27, 2020
@FiloSottile
Copy link
Contributor

The checksum database is more, not less, important for GOINSECURE fetches, as there is no transport security to rely on. We should definitely keep them independent, also because we should encourage setting GOPRIVATE for private modules, not GOINSECURE (unless needed).

@perillo
Copy link
Contributor Author

perillo commented Mar 27, 2020
edited

Thanks.

I opened the issue because I found the behavior between GOINSECURE and -insecure different, and I was not sure if it was intentional. Since it is intentional, the issue can be closed.

I'm not sure if the difference between GOINSECURE and -insecure deserves additional documentation. It should probably be mentioned in #37519.

@bcmills bcmills mentioned this issue Mar 27, 2020
Closed
@bcmills
Copy link
Contributor

bcmills commented Mar 27, 2020

Thanks for checking. I added a note on that issue.

@bcmills bcmills closed this as completed Mar 27, 2020
@golang golang locked and limited conversation to collaborators Mar 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge GoCommand cmd/go NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made.
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@andybons @FiloSottile @bcmills @perillo @gopherbot