cmd/go: disable sumdb less often for toolchain downloads

rsc · gopherbot · commit 645949401455 · 2023-06-20T15:02:47.000Z
There is a chicken and egg problem with always requiring the checksum database for toolchain module downloads, since the checksum database populates its entry by doing its own module download. Don't require the checksum database for GOPROXY=file:/// (for local testing) and when running on the Go module mirror. For #60847. Change-Id: I5d67d585169ae0fa73109df233baae8ba5fe5dd3 Reviewed-on: https://go-review.googlesource.com/c/go/+/503978 Reviewed-by: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Auto-Submit: Russ Cox <rsc@golang.org> Run-TryBot: Russ Cox <rsc@golang.org>
diff --git a/src/cmd/go/internal/modfetch/sumdb.go b/src/cmd/go/internal/modfetch/sumdb.go
@@ -34,12 +34,34 @@ import (
 // useSumDB reports whether to use the Go checksum database for the given module.
 func useSumDB(mod module.Version) bool {
 	if mod.Path == "golang.org/toolchain" {
+		must := true
 		// Downloaded toolchains cannot be listed in go.sum,
 		// so we require checksum database lookups even if
 		// GOSUMDB=off or GONOSUMDB matches the pattern.
 		// If GOSUMDB=off, then the eventual lookup will fail
 		// with a good error message.
-		return true
+
+		// Exception #1: using GOPROXY=file:// to test a distpack.
+		if strings.HasPrefix(cfg.GOPROXY, "file://") && !strings.ContainsAny(cfg.GOPROXY, ",|") {
+			must = false
+		}
+		// Exception #2: the Go proxy+checksum database cannot check itself
+		// while doing the initial download.
+		if strings.Contains(os.Getenv("GIT_HTTP_USER_AGENT"), "proxy.golang.org") {
+			must = false
+		}
+
+		// Another potential exception would be GOPROXY=direct,
+		// but that would make toolchain downloads only as secure
+		// as HTTPS, and in particular they'd be susceptible to MITM
+		// attacks on systems with less-than-trustworthy root certificates.
+		// The checksum database provides a stronger guarantee,
+		// so we don't make that exception.
+
+		// Otherwise, require the checksum database.
+		if must {
+			return true
+		}
 	}
 	return cfg.GOSUMDB != "off" && !module.MatchPrefixPatterns(cfg.GONOSUMDB, mod.Path)
 }
