cmd/go: allow users to control VCS usage #41730
Comments
|
Strong support. This would significantly reduce the attack surface of "go get". I think the proposal could make the relative priority of comma and pipe more clear, but it looks like there is only one reasonable interpretation. Once this is implemented, I think we should consider vulnerabilities in any VCS other than Git and Mercurial as out of scope for golang.org/security. /cc @golang/security |
|
This is a step in the right direction, however I agree with the original "We want to move away from invoking version control tools". In other programming languages, like say, Ruby, the equivalent of go modules is distributed as special purpose archives, like .gem files for Ruby. Go should allow something similar with a go module pack command that packs your module foo v1.2.3 to such an archive, maybe named foo@1.2.3.nut, which go get then can download over https, based on the go.mod file. |
|
@beoran, we already support a protocol that does not need to invoke any version control tools. The I presume that under this proposal, |
|
It seems like everyone is in favor of this. Do I have that right? Are there any objections? |
|
@bcmills That is nice to know, but not very practical. Ruby gems are far easier to use than a raw goprogy. But I support this proposal as a step in the right direction. |
|
Based on the discussion above, this seems like a likely accept. |
|
No change in consensus, so accepted. |
rsc
changed the title
|
As I implement this and look at parsing error cases, it seems like a mistake to allow items in the list that do not have a pattern: prefix. If we did that, then mysteriously means "git only", because all paths match the "git" rule, leaving nothing to go on to the "svn" rule. Similarly, means "myserver.com can only use git; everything else can only use svn", which is not what it looks like at all. The most ergonomic answer here seems to be to require every item in the comma-separated list to have the form pattern:vcslist, so that you can write if that's what you mean, but will be flagged as invalid instead of silently meaning the same thing. |
|
Change https://golang.org/cl/266420 mentions this issue: |
|
How will this interact with go-import meta tags? From what I can discern it would apply to the import/module path and not the repository that go-import points to, is that correct? For example go.tmthrgd.dev (my vanity domain) serves go-import meta tags like: Intuitively I would expect github.com to match (as that's what the git tool is invoked) against and not the vanity domain, but I suspect it's the other way around. I think the interaction with go-import might be worth documenting somewhere. |
|
@tmthrgd |
|
Reopening because CL 266420 was reverted in CL 267799; it needs to be re-sent. |
|
Change https://golang.org/cl/267888 mentions this issue: |
|
|
|
Looks like it was not. We should add a release note, too. |
|
Change https://golang.org/cl/290992 mentions this issue: |
|
@dmitshur |
|
Change https://golang.org/cl/291230 mentions this issue: |
* Link to privacy policies for proxy.golang.org and sum.golang.org in 'go help modules'. It's important that both policies are linked from the go command's documentation. * Fix wording and typo in 'go help vcs' following comments in CL 290992, which adds reference documentation for GOVCS. * Fix whitespace on GOVCS in 'go help environment'. For #41730 Change-Id: I86abceacd4962b748361244026f219157c9285e9 Reviewed-on: https://go-review.googlesource.com/c/go/+/291230 Trust: Jay Conrod <jayconrod@google.com> Run-TryBot: Jay Conrod <jayconrod@google.com> Reviewed-by: Bryan C. Mills <bcmills@google.com> TryBot-Result: Go Bot <gobot@golang.org>
For golang/go#41730 Change-Id: Ie5437ad57be79e42a2a7cd2e89264dbba5285941 Reviewed-on: https://go-review.googlesource.com/c/website/+/290992 Trust: Jay Conrod <jayconrod@google.com> Run-TryBot: Jay Conrod <jayconrod@google.com> TryBot-Result: Go Bot <gobot@golang.org> Reviewed-by: Bryan C. Mills <bcmills@google.com>
The go command runs commands like git and hg to download modules. In the past, we have had problems with security bugs in version control systems becoming security bugs in “go get”.
The original modules draft design removed use of these commands entirely, saying:
The removal of these commands was not possible in the end: being able to fetch directly from Git repos is too important, especially for closed source. But the security exposure has not gone away. We remain vulnerable to problems in VCS systems, especially the less scrutinized ones.
I propose to add a new GOVCS setting that controls which version control systems are allowed to be used for downloads.
In its simplest form, GOVCS is a pipe-separated list of allowed version control systems:
The set of all known version control systems can be abbreviated “all’:
The set of no VCS systems can be written “off”:
A glob pattern (already used for GOPRIVATE, GONOPROXY, and so on) followed by a colon can restrict the effect to a particular (module or import) path prefix:
The special pattern “private” means any pattern from GOPRIVATE.
The special pattern “public” means anything not matched by GOPRIVATE.
A comma-separated list of restricted can be given. The first match in the list applies:
Finally, there is a default setting in the go command itself. An explicit setting of GOVCS takes priority but does not remove the defaults; the effect is as if the explicit GOVCS setting were inserted ahead of the defaults in the comma-separated list.
(Note that this gives considerably more control over exactly when a VCS can be used than the current behavior of “if it’s in the PATH, it can be used.”)
I propose the default GOVCS setting allow all VCS for private modules but only Git and Mercurial for public modules.
That is, the default setting is equivalent to:
The rationale behind allowing only Git and Mercurial is that these two systems have had the most attention to issues of being run as clients of untrusted servers. In contrast, Bazaar, Fossil, and Subversion have primarily been used in trusted, authenticated environments and are not as well scrutinized as attack surfaces.
It is certainly the case that even Git and Mercurial are unfortunately not free of bugs either, but those projects have had more scrutiny and have established a record of fixing them quickly.
The rationale behind allowing
private:allis that private servers are trusted. It is beyond thegocommand’s threat model to guard against scenarios in which a company’s private source code host has already been compromised.Users who want to allow all VCS even for public source code servers would use
I propose that the public Go module mirror proxy.golang.org continue to allow all VCS.
It is already the case that the Go module mirror handles fetching Bazaar, Fossil, and Subversion repos for the vast majority of Go users: those users do not even need to install the corresponding binaries, and it is likely that most do not.
The module mirror also invokes the
gocommand and its subprocesses in a security sandbox for added security, so it is more equipped to deal with potential compromises of the version control tools. It would simply run withGOVCS=public:allto continue allowing all the VCS tools to be used. We would encourage alternate module mirrors to do the same.The combination of disallowing less-popular version control systems by default but continuing to be able to fetch them through module mirrors balances improving baseline security on developer systems machines while not fragmenting the ecosystem.
This default does put the module mirror on the critical path for downloads of public Bazaar/Fossil/Subversion downloads, but it is the same system that serves the checksum database, which is already on the critical path for all downloads. And the setting that opts out of the checksum database and proxy for all modules—
GOPRIVATE=*—would automatically opt out of the VCS restrictions as well.The text was updated successfully, but these errors were encountered: