Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: security fix broke bzr-inside-bzr repos #22157

Closed
rsc opened this issue Oct 5, 2017 · 7 comments
Closed

cmd/go: security fix broke bzr-inside-bzr repos #22157

rsc opened this issue Oct 5, 2017 · 7 comments
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker
Milestone
Go1.9.2

Comments

@rsc
Copy link
Contributor

rsc commented Oct 5, 2017

@arthursapek in #22125 (comment) reports:

This change seems to break go get on a nested bzr package called labix.org/v2/mgo.

Given command go get labix.org/v2/mgo/bson, we get this output:

package labix.org/v2/mgo/bson: directory "/home/emile/go/src/labix.org/v2/mgo" uses bzr, but parent "/home/emile/go/src/labix.org/v2" uses bzr

Same goes for this mirror: go get gopkg.in/mgo.v2/bson

Was the intent here to disable all nested VCS except for git?

Indeed it was, because we are confident about git protecting well enough against git-in-git. I am honestly not as confident in bzr, which seems to have far less attention paid to it. Anything we enable here ends up in the trusted computing base for cmd/go (that is, it allows attacks on cmd/go users), so I'm really pretty reluctant to add this back.

But creating the issue anyway.
@rsc rsc mentioned this issue Oct 5, 2017
Closed
@rsc
Copy link
Contributor Author

rsc commented Oct 5, 2017

/cc @niemeyer for advice (only bzr user I know)

@dmitshur
Copy link
Contributor

dmitshur commented Oct 5, 2017
edited
Loading

but parent "/home/emile/go/src/labix.org/v2" uses bzr

Is there really a Bazaar repository at the path corresponding to import path labix.org/v2?

Have you verified that the "go-import" tags are correctly served for the labix.org/v2/mgo/bson package? It's possible that the root issue is there, so we should check whether that's the case before considering changes to cmd/go.

When I do curl -i 'https://labix.org/v2?go-get=1', I get 404, so something seems strange.

@gopherbot
Copy link
Contributor

Change https://golang.org/cl/69670 mentions this issue: cmd/go: correct directory used in checkNestedVCS test

@ianlancetaylor ianlancetaylor added this to the Go1.9.2 milestone Oct 11, 2017
@rsc rsc reopened this Oct 13, 2017
@rsc
Copy link
Contributor Author

rsc commented Oct 13, 2017
edited
Loading

CL 69670 OK for Go 1.9.2

@rsc rsc added the CherryPickApproved Used during the release process for point releases label Oct 14, 2017
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/70839 mentions this issue: [release-branch.go1.8] cmd/go: correct directory used in checkNestedVCS test

@rsc rsc mentioned this issue Oct 15, 2017
Closed
@gopherbot
Copy link
Contributor

Change https://golang.org/cl/70984 mentions this issue: [release-branch.go1.9] cmd/go: correct directory used in checkNestedVCS test

gopherbot pushed a commit that referenced this issue Oct 25, 2017
@ianlancetaylor @rsc
[release-branch.go1.8] cmd/go: correct directory used in checkNestedV…
533ee44 
…CS test

This error was not used when using git because nested git is permitted.
Add test using Mercurial, so that at least we have a test, even though
the test is not run by default.

Fixes #22157
Fixes #22201

Change-Id: If521f3c09b0754e00e56fa3cd0364764a57a43ad
Reviewed-on: https://go-review.googlesource.com/69670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/70839
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
gopherbot pushed a commit that referenced this issue Oct 25, 2017
@ianlancetaylor @rsc
[release-branch.go1.9] cmd/go: correct directory used in checkNestedV…
39d4bb9 
…CS test

This error was not used when using git because nested git is permitted.
Add test using Mercurial, so that at least we have a test, even though
the test is not run by default.

Fixes #22157
Fixes #22201

Change-Id: If521f3c09b0754e00e56fa3cd0364764a57a43ad
Reviewed-on: https://go-review.googlesource.com/69670
Run-TryBot: Ian Lance Taylor <iant@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-on: https://go-review.googlesource.com/70984
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
@rsc
Copy link
Contributor Author

rsc commented Oct 26, 2017

go1.9.2 has been packaged and includes:

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:21 UTC

@rsc rsc closed this as completed Oct 26, 2017
@rickrich rickrich mentioned this issue Nov 29, 2017
Open
@golang golang locked and limited conversation to collaborators Oct 26, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CherryPickApproved Used during the release process for point releases FrozenDueToAge release-blocker
Projects
None yet
Milestone
Go1.9.2
Development

No branches or pull requests
4 participants
@rsc @dmitshur @ianlancetaylor @gopherbot