proposal: cmd/go: disallow Hangul filler codepoints in import paths

[dolmen]

The Hangul filler codepoints (U+115F, U+1160, U+3164) are rendered as zero-width white space as specified by the Unicode standard. And they are allowed in Go import paths.
Those codepoints could be used maliciously to make a malicious package/module appear like a legitimate package/module.

I propose to forbid those codepoints in Go import paths (packages, modules) as well as any Unicode codepoint that is rendered as zero-width whitespace.

Related: #40717 (disallow Hangul filler in Go identifiers)

What version of Go are you using (go version)?

$ go version
1.4.6

Does this issue reproduce with the latest release?

yes

What did you do?

Go Playground: https://play.golang.org/p/EYIrCh9XtI_u

package main

import (
	"play.ground/ᅟ"
)

func main() {
	ᅟ.Fooᅟ()
}
-- go.mod --
module play.ground
-- ᅟ/ᅟ.go --
package ᅟ

import "fmt"

func Fooᅟ() {
	fmt.Println("This function lives in an another file!")
}

What did you expect to see?

Import failure.

What did you see instead?

Code compiles and runs fine.

[rsc]

The Go module system already disallows all non-ASCII import paths during go get,
precisely because Unicode has many subtleties that we are avoiding for the moment.

I don't believe there's anything to fix here at the moment.
If you create files with "interesting" names on your local file system, that's up to you.
And published import paths don't have this problem.

/cc @bcmills @jayconrod @matloob

[rsc]

I suggest we close this, since it doesn't affect network-downloadable packages.