diff options
| author | Dmitri Shuralyov <dmitshur@golang.org> | 2020-11-05 10:08:11 -0500 |
|---|---|---|
| committer | Dmitri Shuralyov <dmitshur@golang.org> | 2020-11-05 15:16:57 +0000 |
| commit | 34c09695db93218217703362135c6fede35535e0 (patch) | |
| tree | fc99ed91418b287a72751dd121f828c917d49bc6 /src/cmd/go/internal/modget/get.go | |
| parent | 74ec40fc8acffb81f17ccbaa498b15f694c25e4d (diff) | |
| download | go-34c09695db93218217703362135c6fede35535e0.tar.gz go-34c09695db93218217703362135c6fede35535e0.zip | |
cmd/go: revert "add GOVCS setting to control version control usage"
This reverts CL 266420.
Reason for revert: tests aren't passing on linux-{386,amd64}-longtest.
Change-Id: Icec47cded795a51ef7569dfb2d93d9211b4fb578
Reviewed-on: https://go-review.googlesource.com/c/go/+/267799
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Diffstat (limited to 'src/cmd/go/internal/modget/get.go')
| -rw-r--r-- | src/cmd/go/internal/modget/get.go | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/src/cmd/go/internal/modget/get.go b/src/cmd/go/internal/modget/get.go index f99441c2b9..171c070ab3 100644 --- a/src/cmd/go/internal/modget/get.go +++ b/src/cmd/go/internal/modget/get.go @@ -176,82 +176,6 @@ Usage: ` + CmdGet.UsageLine + ` ` + CmdGet.Long, } -var HelpVCS = &base.Command{ - UsageLine: "vcs", - Short: "controlling version control with GOVCS", - Long: ` -The 'go get' command can run version control commands like git -to download imported code. This functionality is critical to the decentralized -Go package ecosystem, in which code can be imported from any server, -but it is also a potential security problem, if a malicious server finds a -way to cause the invoked version control command to run unintended code. - -To balance the functionality and security concerns, the 'go get' command -by default will only use git and hg to download code from public servers. -But it will use any known version control system (bzr, fossil, git, hg, svn) -to download code from private servers, defined as those hosting packages -matching the GOPRIVATE variable (see 'go help private'). The rationale behind -allowing only Git and Mercurial is that these two systems have had the most -attention to issues of being run as clients of untrusted servers. In contrast, -Bazaar, Fossil, and Subversion have primarily been used in trusted, -authenticated environments and are not as well scrutinized as attack surfaces. - -The version control command restrictions only apply when using direct version -control access to download code. When downloading modules from a proxy, -'go get' uses the proxy protocol instead, which is always permitted. -By default, the 'go get' command uses the Go module mirror (proxy.golang.org) -for public packages and only falls back to version control for private -packages or when the mirror refuses to serve a public package (typically for -legal reasons). Therefore, clients can still access public code served from -Bazaar, Fossil, or Subversion repositories by default, because those downloads -use the Go module mirror, which takes on the security risk of running the -version control commands, using a custom sandbox. - -The GOVCS variable can be used to change the allowed version control systems -for specific packages (identified by a module or import path). -The GOVCS variable applies both when using modules and when using GOPATH. -When using modules, the patterns match against the module path. -When using GOPATH, the patterns match against the import path -corresponding to the root of the version control repository. - -The general form of the GOVCS setting is a comma-separated list of -pattern:vcslist rules. The pattern is a glob pattern that must match -one or more leading elements of the module or import path. The vcslist -is a pipe-separated list of allowed version control commands, or "all" -to allow use of any known command, or "off" to allow nothing. -The earliest matching pattern in the list applies, even if later patterns -might also match. - -For example, consider: - - GOVCS=github.com:git,evil.com:off,*:git|hg - -With this setting, code with an module or import path beginning with -github.com/ can only use git; paths on evil.com cannot use any version -control command, and all other paths (* matches everything) can use -only git or hg. - -The special patterns "public" and "private" match public and private -module or import paths. A path is private if it matches the GOPRIVATE -variable; otherwise it is public. - -If no rules in the GOVCS variable match a particular module or import path, -the 'go get' command applies its default rule, which can now be summarized -in GOVCS notation as 'public:git|hg,private:all'. - -To allow unfettered use of any version control system for any package, use: - - GOVCS=*:all - -To disable all use of version control, use: - - GOVCS=*:off - -The 'go env -w' command (see 'go help env') can be used to set the GOVCS -variable for future go command invocations. -`, -} - var ( getD = CmdGet.Flag.Bool("d", false, "") getF = CmdGet.Flag.Bool("f", false, "") |