cmd/go: downloads follow plain-HTTP redirects even when the -insecure flag is not set [1.11 backport] #29618
Comments
gopherbot
added
the
CherryPickCandidate
julieqiu
added
CherryPickApproved
|
Approving since this is a security issue. Please follow the instructions at https://github.com/golang/go/wiki/MinorReleases to create the cherrypick CL. |
|
The upstream issue #29591 has not been resolved yet, and it has been bumped up to Go 1.13 milestone, so no progress can be made here at this time. Edit: That said, CL 156838 which resolves the upstream issue has a +2, just a R=Go1.13 label. Perhaps progress can be made here. I'll let people who worked on the fix decide. /cc @bcmills @rsc |
|
I think we want to land the CL and give it a bit of soak time, then backport it. |
|
It's been a while. How's the soaking going? |
|
Haven't heard any complaints so far, but it's only been a month. I'm still feeling a bit uneasy about it. (Maybe that implies that we shouldn't backport it at all?) |
|
OK. Pushing to 1.11.11 for now. |
|
I've been thinking about this some more. I don't think we'll have adequate soak time on the change until after Go 1.13 is released: I suspect that the problems will be in the long tail of packages, and users on the long tail by and large are not testing against While this is a security issue, I don't think it's major enough to risk breaking long-tail packages at a point release. I'm going to tentatively schedule the 1.12 backport for a couple of weeks after the 1.13 release, when we'll have a clearer view of just how broken the long tail is. At that point, Go 1.11 will no longer be supported anyway, so closing the 1.11 backport issue. |
dmitshur
added
CherryPickCandidate
@FiloSottile requested issue #29591 to be considered for backport to the next 1.11 minor release.
The text was updated successfully, but these errors were encountered: