cmd/go: security fix broke bzr-inside-bzr repos

[rsc]

@arthursapek in #22125 (comment) reports:

This change seems to break go get on a nested bzr package called labix.org/v2/mgo.

Given command go get labix.org/v2/mgo/bson, we get this output:

package labix.org/v2/mgo/bson: directory "/home/emile/go/src/labix.org/v2/mgo" uses bzr, but parent "/home/emile/go/src/labix.org/v2" uses bzr

Same goes for this mirror: go get gopkg.in/mgo.v2/bson

Was the intent here to disable all nested VCS except for git?

Indeed it was, because we are confident about git protecting well enough against git-in-git. I am honestly not as confident in bzr, which seems to have far less attention paid to it. Anything we enable here ends up in the trusted computing base for cmd/go (that is, it allows attacks on cmd/go users), so I'm really pretty reluctant to add this back.

But creating the issue anyway.

[rsc]

/cc @niemeyer for advice (only bzr user I know)

[dmitshur]

but parent "/home/emile/go/src/labix.org/v2" uses bzr

Is there really a Bazaar repository at the path corresponding to import path labix.org/v2?

Have you verified that the "go-import" tags are correctly served for the labix.org/v2/mgo/bson package? It's possible that the root issue is there, so we should check whether that's the case before considering changes to cmd/go.

When I do curl -i 'https://labix.org/v2?go-get=1', I get 404, so something seems strange.

[gopherbot]

Change https://golang.org/cl/69670 mentions this issue: cmd/go: correct directory used in checkNestedVCS test

[rsc]

CL 69670 OK for Go 1.9.2

[gopherbot]

Change https://golang.org/cl/70839 mentions this issue: [release-branch.go1.8] cmd/go: correct directory used in checkNestedVCS test

[gopherbot]

Change https://golang.org/cl/70984 mentions this issue: [release-branch.go1.9] cmd/go: correct directory used in checkNestedVCS test