cmd/go: get -u on repository cloned using git@github.com URL fails #8850
Labels
Milestone
Comments
Besides not recognizing git@github.com URLs (making it impossible to use github ssh), the recent changes to `go get` have also made it rather difficult to use public source control websites like Github and BitBucket as mirrors and to fork packages (for the quick PR, not a long term fork) without rewriting import paths. For our (Conformal) company's workflow, we maintain our own git repos and use a push hook to push all changes to the master branch to an equivalent Github repo. Thus, we use Github as a public mirror while maintaining complete administrative control over our git repos. With the `go get` change, the only method I've found to reliably work is to change every repo to use an alternative push url for the origin remote (and we have a lot of repos!) as well as add another internal remote so we can push and pull to branches on our own git server. This change has also made it more difficult to fork a git repository, keeping the same GOPATH src path (so that import paths do not need to be rewritten) while modifying the git remote so that changes can be pushed and pulled from a public repo (like a forked project on Github). I also see this change as a security loss. Besides not recognizing git@github.com URLs (which would allow SSH with RSA keys -- currently it can only pull from HTTPS), Github SSH only supports RSA, whereas we would prefer to use ECDSA. This is not an issue when we maintain the git repo ourselves, but that isn't possible if `go get` refuses to fetch from any place other than Github for github.com/ import paths. |
|
Comment 3 by marco@peereboom.us: This basically destroys my workflow when working on my personal github projects. I am baffled that this change made it in tbh. |
There is obviously a direct conflict here between detecting packages that are not checked out from the correct places (necessary to update ones that have moved) and allowing "power users" to check out packages not from the correct places. We could relax the check for the public URLs like github.com under the assumption that they will never change, but that doesn't really solve the general problem that has been raised, so I'd rather not make a special case. It may be that the general problem is unsolvable and that if you're going to lie about where you got the code then you just can't use 'go get -u'. Status changed to Thinking. |
|
Comment 6 by dave@davec.name: Perhaps a flag on 'go get' that says "I know what I'm doing, use the file path as the checkout path even if the scm origin doesn't match". |
|
Comment 8 by marco@peereboom.us: @rsc I am not following that argument at all. If I clone a project that I control on github, the ssh URL *is* correct. There is absolutely no reason to reject legitimate URLs. Especially when using ssh since that requires keys. Result is that I now have to update all dependencies by hand. This is essentially kills go get for anyone who is a developer. Sure if I just want run someone else's code I like some protection, but cutting out the guys that generate said code is honestly a terrible idea. Go 1.3 forever I guess :( Alternatively one can patch go forever more to remove these restrictions but I am pretty sure we can all agree that is a pretty terrible idea as well. Please fix go 1.4 :( |
|
Comment 9 by marco@peereboom.us: I forgot to add, that https://golang.org/cl/147170043/ is the diff that screws go get up. So if you need go get to work just revert it. |
CL https://golang.org/cl/164120043 mentions this issue. |
|
This issue was closed by revision ea295a4. Status changed to Fixed. |
|
Comment 13 by marco@peereboom.us: Thank you! |
otoolep
added a commit
to influxdata/influxdb
that referenced
this issue
Jan 21, 2015
InfluxDB source is affected by this issue:
golang/go#8850
which resulted in the new '-f' flag, which our build process must use.
This flag was added to Go 1.4 in:
golang/go@ea295a4
schimmy
pushed a commit
to Clever/shorty
that referenced
this issue
Sep 13, 2015
natebrennand
added a commit
to Clever/shorty
that referenced
this issue
Sep 13, 2015
add tests force go get for now to avoid git / https issues in drone - golang/go#8850 only look at 10 lines of logs in drone clean up .drone.yml - no need to pass -u flag for go get in drone also download deps for tests better URLs for integration tests correct env vars for postgres stop trying to make the db twice more env vars for psql drop IF NOT EXISTS for schema creation to support postgres 9.1 for now allow integration test to succeed correct env variable for pg user
schimmy
pushed a commit
to Clever/shorty
that referenced
this issue
Sep 13, 2015
add tests force go get for now to avoid git / https issues in drone - golang/go#8850 only look at 10 lines of logs in drone clean up .drone.yml - no need to pass -u flag for go get in drone also download deps for tests better URLs for integration tests correct env vars for postgres stop trying to make the db twice more env vars for psql drop IF NOT EXISTS for schema creation to support postgres 9.1 for now allow integration test to succeed correct env variable for pg user
wheatman
pushed a commit
to wheatman/go-akaros
that referenced
this issue
Jun 25, 2018
get -u now checks that remote repo paths match the ones predicted by the import paths: if you are get -u'ing rsc.io/pdf, it has to be checked out from the right location. This is important in case the rsc.io/pdf redirect changes. In some cases, people have good reasons to use non-standard remote repos. Add -f flag to allow that. The f can stand for force or fork, as you see fit. Fixes golang#8850. LGTM=r R=r CC=golang-codereviews https://golang.org/cl/164120043
wheatman
pushed a commit
to wheatman/go-akaros
that referenced
this issue
Jun 26, 2018
get -u now checks that remote repo paths match the ones predicted by the import paths: if you are get -u'ing rsc.io/pdf, it has to be checked out from the right location. This is important in case the rsc.io/pdf redirect changes. In some cases, people have good reasons to use non-standard remote repos. Add -f flag to allow that. The f can stand for force or fork, as you see fit. Fixes golang#8850. LGTM=r R=r CC=golang-codereviews https://golang.org/cl/164120043
wheatman
pushed a commit
to wheatman/go-akaros
that referenced
this issue
Jul 9, 2018
get -u now checks that remote repo paths match the ones predicted by the import paths: if you are get -u'ing rsc.io/pdf, it has to be checked out from the right location. This is important in case the rsc.io/pdf redirect changes. In some cases, people have good reasons to use non-standard remote repos. Add -f flag to allow that. The f can stand for force or fork, as you see fit. Fixes golang#8850. LGTM=r R=r CC=golang-codereviews https://golang.org/cl/164120043
wheatman
pushed a commit
to wheatman/go-akaros
that referenced
this issue
Jul 20, 2018
get -u now checks that remote repo paths match the ones predicted by the import paths: if you are get -u'ing rsc.io/pdf, it has to be checked out from the right location. This is important in case the rsc.io/pdf redirect changes. In some cases, people have good reasons to use non-standard remote repos. Add -f flag to allow that. The f can stand for force or fork, as you see fit. Fixes golang#8850. LGTM=r R=r CC=golang-codereviews https://golang.org/cl/164120043
wheatman
pushed a commit
to wheatman/go-akaros
that referenced
this issue
Jul 30, 2018
get -u now checks that remote repo paths match the ones predicted by the import paths: if you are get -u'ing rsc.io/pdf, it has to be checked out from the right location. This is important in case the rsc.io/pdf redirect changes. In some cases, people have good reasons to use non-standard remote repos. Add -f flag to allow that. The f can stand for force or fork, as you see fit. Fixes golang#8850. LGTM=r R=r CC=golang-codereviews https://golang.org/cl/164120043
This issue was closed.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
by Lytvynov.A.V:
The text was updated successfully, but these errors were encountered: