cmd/go: default GONOSUMDB to GONOPROXY if not specified

[rogpeppe]

I suspect that GONOPROXY will be used mainly for private modules. If you're using private modules, you probably don't want to be using the sum database for those either, so it seems like it would be useful if GONOSUMDB would use GONOPROXY if not set.

That would have saved me some time, because if you just set GONOPROXY for a private repo but not GONOSUMDB, you'll get errors - it's not immediately clear that you need to set GONOSUMDB=$GONOPROXY to get it to work.

[rogpeppe]

@bcmills @rsc

[bcmills]

CC @FiloSottile @jayconrod

[FiloSottile]

On one hand, it is not good to default to a less secure state silently. On the other hand, this would help greatly with not training users to blindly set GONOSUMBD when something goes wrong with the checksum database. (See #32291.)

Given there's a lower risk of MITM anyway when going direct (although we do want to protect against malicious origins) and since I can't really think of many cases where you want to add a path to GONOPROXY and not GONOSUMDB, I'm in favor of this.

I would make an exception for GONOPROXY=*, but I guess most people will just do GOPROXY=off instead, which does not disable the sumdb, so maybe there's no need.

[bcmills]

@FiloSottile, s/GOPROXY=off/GOPROXY=direct/?

[FiloSottile]

@bcmills yes, thanks.

[rsc]

It is definitely true that there is something missing here. GONOSUMDB and GONOPROXY are both low-level things and you shouldn't have to configure both. I think we should do something for Go 1.13.

Separately, @ianthehat asked me in the context of editor integration if there was some way to tell for a given package "is this an import that would make sense to hyperlink to godoc.org?".

I am starting to think we should add a higher-level control knob GOPRIVATE and encourage that instead of the lower-level knobs. GOPRIVATE would set the default for both GONOSUMDB and GONOPROXY but other programs could also look at it to decide the more general question of whether this is a package known to public infrastructure or not.

Thoughts?

[rogpeppe]

If you have GOPRIVATE, is there still a significant use case for GONOPROXY and/or GONOSUMDB at all, in fact?