As discussed in #32104, #31741 and #27332; there is sometimes a need for users to fetch dependencies in an insecure manner (e.g. where dependencies are on servers with certificates that are not trusted by the system, or where the server is not https at all). The current go get
command supports a -insecure
flag for this use-case; however this is not supported by the new go mod
commands. The -insecure
flag is probably overkill in most cases and could lead to users fetching dependencies insecurely by accident.
I propose the addition of two new environment variables that would be used by all commands fetching dependencies. The first of these would provide the go tools with additional CA certificates to trust (in situations where the user is unable to modify the system trust, or where they only want to trust a certificate for the duration of the go command). The second would list servers where insecure fetching is allowed. For example, these could be:
GOTRUST=pathToCA1.pem,pathToCA2.pem
– Defines a comma separated list of CA certificate files to trust along side the system ones.GOINSECURE=foo.com,*.bar.com
– Defines a comma separated list of hostnames (possibly with globs) where insecure fetches (I guess either over https due to untrusted authority, or over http) are allowed.
If this were implemented, then I would also propose the removal of the -insecure
flag from go get.
I would be willing to work on this issue if it were accepted, but I don’t really know where to start!
That would not be secure. DNS resolution is ordinarily unsecured, so with such a configuration option enabled all an attacker would have to do to downgrade security for a package would be to fake its IP address. It’s also unclear to me what use cases that addresses that can’t be addressed with a GOINSECURE list.
It seems like the discussion here has converged on (1) adding GOINSECURE and (2) not adding GOTRUST.
Is that accurate? Thanks.
It looks like people are in favor of adding
GOINSECURE
with a list of wildcarded host names, so this is a likely accept. Leaving open for one week for final comments.— for @golang/proposal-review
No new comments in the past week, so accepting.