As discussed in #32104, #31741 and #27332; there is sometimes a need for users to fetch dependencies in an insecure manner (e.g. where dependencies are on servers with certificates that are not trusted by the system, or where the server is not https at all). The current
go get command supports a
-insecure flag for this use-case; however this is not supported by the new
go mod commands. The
-insecure flag is probably overkill in most cases and could lead to users fetching dependencies insecurely by accident.
I propose the addition of two new environment variables that would be used by all commands fetching dependencies. The first of these would provide the go tools with additional CA certificates to trust (in situations where the user is unable to modify the system trust, or where they only want to trust a certificate for the duration of the go command). The second would list servers where insecure fetching is allowed. For example, these could be:
GOTRUST=pathToCA1.pem,pathToCA2.pem– Defines a comma separated list of CA certificate files to trust along side the system ones.
GOINSECURE=foo.com,*.bar.com– Defines a comma separated list of hostnames (possibly with globs) where insecure fetches (I guess either over https due to untrusted authority, or over http) are allowed.
If this were implemented, then I would also propose the removal of the
-insecure flag from go get.
I would be willing to work on this issue if it were accepted, but I don’t really know where to start!