From 16f0896ed11fa3eebc20cb3bb3d64378dab2f57e Mon Sep 17 00:00:00 2001 From: witchard Date: Tue, 21 Apr 2020 19:44:18 +0100 Subject: [PATCH] cmd/go/internal/modget: Improve GOINSECURE docs. Recommend use of GOINSECURE over -insecure flang and clarify that GOINSECURE environment variable does not also imply GONOSUMDB. --- src/cmd/go/alldocs.go | 21 ++++++++++----------- src/cmd/go/internal/help/helpdoc.go | 2 ++ src/cmd/go/internal/modget/get.go | 5 ++++- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/src/cmd/go/alldocs.go b/src/cmd/go/alldocs.go index a20a92d03d9cc7..c2678c3dd3c5e7 100644 --- a/src/cmd/go/alldocs.go +++ b/src/cmd/go/alldocs.go @@ -1017,8 +1017,7 @@ // // Download downloads the named modules, which can be module patterns selecting // dependencies of the main module or module queries of the form path@version. -// With no arguments, download applies to all dependencies of the main module -// (equivalent to 'go mod download all'). +// With no arguments, download applies to all dependencies of the main module. // // The go command will automatically download modules as needed during ordinary // execution. The "go mod download" command is useful mainly for pre-filling @@ -2694,15 +2693,15 @@ // Go module mirror run by Google and fall back to a direct connection // if the proxy reports that it does not have the module (HTTP error 404 or 410). // See https://proxy.golang.org/privacy for the service's privacy policy. -// -// If GOPROXY is set to the string "direct", downloads use a direct connection to -// source control servers. Setting GOPROXY to "off" disallows downloading modules -// from any source. Otherwise, GOPROXY is expected to be list of module proxy URLs -// separated by either comma (,) or pipe (|) characters, which control error -// fallback behavior. For each request, the go command tries each proxy in -// sequence. If there is an error, the go command will try the next proxy in the -// list if the error is a 404 or 410 HTTP response or if the current proxy is -// followed by a pipe character, indicating it is safe to fall back on any error. +// If GOPROXY is set to the string "direct", downloads use a direct connection +// to source control servers. Setting GOPROXY to "off" disallows downloading +// modules from any source. Otherwise, GOPROXY is expected to be a comma-separated +// list of the URLs of module proxies, in which case the go command will fetch +// modules from those proxies. For each request, the go command tries each proxy +// in sequence, only moving to the next if the current proxy returns a 404 or 410 +// HTTP response. The string "direct" may appear in the proxy list, +// to cause a direct connection to be attempted at that point in the search. +// Any proxies listed after "direct" are never consulted. // // The GOPRIVATE and GONOPROXY environment variables allow bypassing // the proxy for selected modules. See 'go help module-private' for details. diff --git a/src/cmd/go/internal/help/helpdoc.go b/src/cmd/go/internal/help/helpdoc.go index 6a843f459a8dd9..57063b58afbfd5 100644 --- a/src/cmd/go/internal/help/helpdoc.go +++ b/src/cmd/go/internal/help/helpdoc.go @@ -510,6 +510,8 @@ General-purpose environment variables: Comma-separated list of glob patterns (in the syntax of Go's path.Match) of module path prefixes that should always be fetched in an insecure manner. Only applies to dependencies that are being fetched directly. + Unlike the -insecure flag on 'go get' this does not disable checksum + database validation; please use GOPRIVATE or GONOSUMDB to achieve that. GOOS The operating system for which to compile code. Examples are linux, darwin, windows, netbsd. diff --git a/src/cmd/go/internal/modget/get.go b/src/cmd/go/internal/modget/get.go index 6ef64cb981d4db..acb9ce7c1f422c 100644 --- a/src/cmd/go/internal/modget/get.go +++ b/src/cmd/go/internal/modget/get.go @@ -114,7 +114,10 @@ require downgrading other dependencies, and 'go get' does this automatically as well. The -insecure flag permits fetching from repositories and resolving -custom domains using insecure schemes such as HTTP. Use with caution. +custom domains using insecure schemes such as HTTP. Use with caution. It is +recommended to use the GOINSECURE environment variable instead as it allows +for more fine-grained control when fetching dependencies in this manner. See +'go help environment' for details. The second step is to download (if needed), build, and install the named packages.