cmd/go: should GOINSECURE imply GONOSUMDB?

[perillo]

What version of Go are you using (go version)?

$ go version
go version go1.14.1 linux/amd64

Does this issue reproduce with the latest release?

Yes.
It also reproduces with the current gotip.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE="on"
GOARCH="amd64"
GOBIN="/home/manlio/.local/bin"
GOCACHE="/home/manlio/.cache/go-build"
GOENV="/home/manlio/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE="*.local"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/manlio/.local/lib/go:/home/manlio/src/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build165827450=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.14.1 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.14.1
uname -sr: Linux 5.5.11-arch1-1
/usr/lib/libc.so.6: GNU C Library (GNU libc) stable release version 2.31.
gdb --version: GNU gdb (GDB) 9.1

What did you do?

The documentation in https://golang.org/pkg/cmd/go/#hdr-Module_authentication_failures says

If GOSUMDB is set to "off", or if "go get" is invoked with the -insecure flag, the checksum database is not consulted, and all unrecognized modules are accepted, at the cost of giving up the security guarantee of verified repeatable downloads for all modules

However when GOINSECURE is set for a module, GOSUMDB is consulted for that module.

If #37519 is implemented, then GOINSECURE will have a different semantic compared to the -insecure flag.

Thanks.

[andybons]

@bcmills @matloob @jayconrod

[bcmills]

@FiloSottile, do you have any insight on this?

[bcmills]

I'm inclined to say that GOINSECURE and GONOSUMDB (which controls which modules are checked in the sumdb) should be independent.

Here's my reasoning: if you are blocked from an HTTPS connection to the origin, but the sumdb server is able to fetch from the origin via HTTPS, then the origin can serve a plain-HTTP response to you and you can combine that with the checksum from the database to obtain a trustworthy copy of the module, even if that module is not available from any proxy that you can reach. (Recall that a proxy can provide access to signed sum.golang.org checksums even if proxy.golang.org is blocked.)

[bcmills]

Or, to put it another way: the difference between GOINSECURE and the -insecure flag is intentional. GOINSECURE provides very tightly-targeted exceptions for specific problems, whereas -insecure is one big hammer that disables everything.

Since you can also set GONOSUMDB (perhaps via GOPRIVATE), you can still fetch any module that you would have been able to fetch using -insecure — you just have to explicitly disable the two layers of security (TLS signatures and module checksums) independently.

[FiloSottile]

The checksum database is more, not less, important for GOINSECURE fetches, as there is no transport security to rely on. We should definitely keep them independent, also because we should encourage setting GOPRIVATE for private modules, not GOINSECURE (unless needed).

[perillo]

Thanks.

I opened the issue because I found the behavior between GOINSECURE and -insecure different, and I was not sure if it was intentional. Since it is intentional, the issue can be closed.

I'm not sure if the difference between GOINSECURE and -insecure deserves additional documentation. It should probably be mentioned in #37519.

[bcmills]

Thanks for checking. I added a note on that issue.