1 files changed, 30 insertions, 27 deletions

diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index e5bacadaa3..3f7a66384a 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -18,8 +18,11 @@ import (
 	"cmd/go/internal/load"
 	"cmd/go/internal/search"
 	"cmd/go/internal/str"
+	"cmd/go/internal/vcs"
 	"cmd/go/internal/web"
 	"cmd/go/internal/work"
+
+	"golang.org/x/mod/module"
 )
 
 var CmdGet = &base.Command{
@@ -41,7 +44,10 @@ The -fix flag instructs get to run the fix tool on the downloaded packages
 before resolving dependencies or building the code.
 
 The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution.
+custom domains using insecure schemes such as HTTP. Use with caution. The
+GOINSECURE environment variable is usually a better alternative, since it
+provides control over which modules may be retrieved using an insecure scheme.
+See 'go help environment' for details.
 
 The -t flag instructs get to also download the packages required to build
 the tests for the specified packages.
@@ -103,14 +109,12 @@ var (
 	getT   = CmdGet.Flag.Bool("t", false, "")
 	getU   = CmdGet.Flag.Bool("u", false, "")
 	getFix = CmdGet.Flag.Bool("fix", false, "")
-
-	Insecure bool
 )
 
 func init() {
 	work.AddBuildFlags(CmdGet, work.OmitModFlag|work.OmitModCommonFlags)
 	CmdGet.Run = runGet // break init loop
-	CmdGet.Flag.BoolVar(&Insecure, "insecure", Insecure, "")
+	CmdGet.Flag.BoolVar(&cfg.Insecure, "insecure", cfg.Insecure, "")
 }
 
 func runGet(ctx context.Context, cmd *base.Command, args []string) {
@@ -403,17 +407,12 @@ func download(arg string, parent *load.Package, stk *load.ImportStack, mode int)
 // to make the first copy of or update a copy of the given package.
 func downloadPackage(p *load.Package) error {
 	var (
-		vcs            *vcsCmd
+		vcsCmd         *vcs.Cmd
 		repo, rootPath string
 		err            error
 		blindRepo      bool // set if the repo has unusual configuration
 	)
 
-	security := web.SecureOnly
-	if Insecure {
-		security = web.Insecure
-	}
-
 	// p can be either a real package, or a pseudo-package whose “import path” is
 	// actually a wildcard pattern.
 	// Trim the path at the element containing the first wildcard,
@@ -427,22 +426,26 @@ func downloadPackage(p *load.Package) error {
 		}
 		importPrefix = importPrefix[:slash]
 	}
-	if err := CheckImportPath(importPrefix); err != nil {
+	if err := module.CheckImportPath(importPrefix); err != nil {
 		return fmt.Errorf("%s: invalid import path: %v", p.ImportPath, err)
 	}
+	security := web.SecureOnly
+	if cfg.Insecure || module.MatchPrefixPatterns(cfg.GOINSECURE, importPrefix) {
+		security = web.Insecure
+	}
 
 	if p.Internal.Build.SrcRoot != "" {
 		// Directory exists. Look for checkout along path to src.
-		vcs, rootPath, err = vcsFromDir(p.Dir, p.Internal.Build.SrcRoot)
+		vcsCmd, rootPath, err = vcs.FromDir(p.Dir, p.Internal.Build.SrcRoot)
 		if err != nil {
 			return err
 		}
 		repo = "<local>" // should be unused; make distinctive
 
 		// Double-check where it came from.
-		if *getU && vcs.remoteRepo != nil {
+		if *getU && vcsCmd.RemoteRepo != nil {
 			dir := filepath.Join(p.Internal.Build.SrcRoot, filepath.FromSlash(rootPath))
-			remote, err := vcs.remoteRepo(vcs, dir)
+			remote, err := vcsCmd.RemoteRepo(vcsCmd, dir)
 			if err != nil {
 				// Proceed anyway. The package is present; we likely just don't understand
 				// the repo configuration (e.g. unusual remote protocol).
@@ -450,10 +453,10 @@ func downloadPackage(p *load.Package) error {
 			}
 			repo = remote
 			if !*getF && err == nil {
-				if rr, err := RepoRootForImportPath(importPrefix, IgnoreMod, security); err == nil {
+				if rr, err := vcs.RepoRootForImportPath(importPrefix, vcs.IgnoreMod, security); err == nil {
 					repo := rr.Repo
-					if rr.vcs.resolveRepo != nil {
-						resolved, err := rr.vcs.resolveRepo(rr.vcs, dir, repo)
+					if rr.VCS.ResolveRepo != nil {
+						resolved, err := rr.VCS.ResolveRepo(rr.VCS, dir, repo)
 						if err == nil {
 							repo = resolved
 						}
@@ -467,13 +470,13 @@ func downloadPackage(p *load.Package) error {
 	} else {
 		// Analyze the import path to determine the version control system,
 		// repository, and the import path for the root of the repository.
-		rr, err := RepoRootForImportPath(importPrefix, IgnoreMod, security)
+		rr, err := vcs.RepoRootForImportPath(importPrefix, vcs.IgnoreMod, security)
 		if err != nil {
 			return err
 		}
-		vcs, repo, rootPath = rr.vcs, rr.Repo, rr.Root
+		vcsCmd, repo, rootPath = rr.VCS, rr.Repo, rr.Root
 	}
-	if !blindRepo && !vcs.isSecure(repo) && !Insecure {
+	if !blindRepo && !vcsCmd.IsSecure(repo) && security != web.Insecure {
 		return fmt.Errorf("cannot download, %v uses insecure protocol", repo)
 	}
 
@@ -496,7 +499,7 @@ func downloadPackage(p *load.Package) error {
 	}
 	root := filepath.Join(p.Internal.Build.SrcRoot, filepath.FromSlash(rootPath))
 
-	if err := checkNestedVCS(vcs, root, p.Internal.Build.SrcRoot); err != nil {
+	if err := vcs.CheckNested(vcsCmd, root, p.Internal.Build.SrcRoot); err != nil {
 		return err
 	}
 
@@ -512,7 +515,7 @@ func downloadPackage(p *load.Package) error {
 
 	// Check that this is an appropriate place for the repo to be checked out.
 	// The target directory must either not exist or have a repo checked out already.
-	meta := filepath.Join(root, "."+vcs.cmd)
+	meta := filepath.Join(root, "."+vcsCmd.Cmd)
 	if _, err := os.Stat(meta); err != nil {
 		// Metadata file or directory does not exist. Prepare to checkout new copy.
 		// Some version control tools require the target directory not to exist.
@@ -533,12 +536,12 @@ func downloadPackage(p *load.Package) error {
 			fmt.Fprintf(os.Stderr, "created GOPATH=%s; see 'go help gopath'\n", p.Internal.Build.Root)
 		}
 
-		if err = vcs.create(root, repo); err != nil {
+		if err = vcsCmd.Create(root, repo); err != nil {
 			return err
 		}
 	} else {
 		// Metadata directory does exist; download incremental updates.
-		if err = vcs.download(root); err != nil {
+		if err = vcsCmd.Download(root); err != nil {
 			return err
 		}
 	}
@@ -547,12 +550,12 @@ func downloadPackage(p *load.Package) error {
 		// Do not show tag sync in -n; it's noise more than anything,
 		// and since we're not running commands, no tag will be found.
 		// But avoid printing nothing.
-		fmt.Fprintf(os.Stderr, "# cd %s; %s sync/update\n", root, vcs.cmd)
+		fmt.Fprintf(os.Stderr, "# cd %s; %s sync/update\n", root, vcsCmd.Cmd)
 		return nil
 	}
 
 	// Select and sync to appropriate version of the repository.
-	tags, err := vcs.tags(root)
+	tags, err := vcsCmd.Tags(root)
 	if err != nil {
 		return err
 	}
@@ -560,7 +563,7 @@ func downloadPackage(p *load.Package) error {
 	if i := strings.Index(vers, " "); i >= 0 {
 		vers = vers[:i]
 	}
-	if err := vcs.tagSync(root, selectTag(vers, tags)); err != nil {
+	if err := vcsCmd.TagSync(root, selectTag(vers, tags)); err != nil {
 		return err
 	}