From 5853b4ee47f41f2d5ea8e63a185b2cfd6e08b98c Mon Sep 17 00:00:00 2001
From: witchard <witchard@hotmail.co.uk>
Date: Mon, 21 Sep 2020 19:35:15 +0000
Subject: [PATCH] cmd/go/internal/get: warn about -insecure deprecation

Adds deprecation warning for -insecure flag on go get in both modules
and GOPATH mode.

Updates #37519.

Change-Id: Ie2efeeb4a91e6dda92955295969e9715314ae50e
GitHub-Last-Rev: a9ebe21fe067baa12391ad4f9357d8e5b0cf7051
GitHub-Pull-Request: golang/go#41497
Reviewed-on: https://go-review.googlesource.com/c/go/+/255882
Run-TryBot: Jay Conrod <jayconrod@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Trust: Michael Matloob <matloob@golang.org>
Trust: Jay Conrod <jayconrod@google.com>
---
 src/cmd/go/alldocs.go                         | 18 +++++++++-------
 src/cmd/go/internal/get/get.go                | 12 +++++++----
 src/cmd/go/internal/modget/get.go             | 12 ++++++++---
 .../script/get_insecure_deprecated.txt        | 21 +++++++++++++++++++
 4 files changed, 49 insertions(+), 14 deletions(-)
 create mode 100644 src/cmd/go/testdata/script/get_insecure_deprecated.txt

diff --git a/src/cmd/go/alldocs.go b/src/cmd/go/alldocs.go
index 5f1c7aaecb..a0e93d822e 100644
--- a/src/cmd/go/alldocs.go
+++ b/src/cmd/go/alldocs.go
@@ -662,9 +662,12 @@
 // this automatically as well.
 //
 // The -insecure flag permits fetching from repositories and resolving
-// custom domains using insecure schemes such as HTTP. Use with caution. The
-// GOINSECURE environment variable is usually a better alternative, since it
-// provides control over which modules may be retrieved using an insecure scheme.
+// custom domains using insecure schemes such as HTTP. Use with caution.
+// This flag is deprecated and will be removed in a future version of go.
+// The GOINSECURE environment variable is usually a better alternative, since
+// it provides control over which modules may be retrieved using an insecure
+// scheme. It should be noted that the -insecure flag also turns the module
+// checksum validation off. GOINSECURE does not do that, use GONOSUMDB.
 // See 'go help environment' for details.
 //
 // The second step is to download (if needed), build, and install
@@ -2200,10 +2203,11 @@
 // before resolving dependencies or building the code.
 //
 // The -insecure flag permits fetching from repositories and resolving
-// custom domains using insecure schemes such as HTTP. Use with caution. The
-// GOINSECURE environment variable is usually a better alternative, since it
-// provides control over which modules may be retrieved using an insecure scheme.
-// See 'go help environment' for details.
+// custom domains using insecure schemes such as HTTP. Use with caution.
+// This flag is deprecated and will be removed in a future version of go.
+// The GOINSECURE environment variable is usually a better alternative, since
+// it provides control over which modules may be retrieved using an insecure
+// scheme. See 'go help environment' for details.
 //
 // The -t flag instructs get to also download the packages required to build
 // the tests for the specified packages.
diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
index 3f7a66384a..ed2786879c 100644
--- a/src/cmd/go/internal/get/get.go
+++ b/src/cmd/go/internal/get/get.go
@@ -44,10 +44,11 @@ The -fix flag instructs get to run the fix tool on the downloaded packages
 before resolving dependencies or building the code.
 
 The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution. The
-GOINSECURE environment variable is usually a better alternative, since it
-provides control over which modules may be retrieved using an insecure scheme.
-See 'go help environment' for details.
+custom domains using insecure schemes such as HTTP. Use with caution.
+This flag is deprecated and will be removed in a future version of go.
+The GOINSECURE environment variable is usually a better alternative, since
+it provides control over which modules may be retrieved using an insecure
+scheme. See 'go help environment' for details.
 
 The -t flag instructs get to also download the packages required to build
 the tests for the specified packages.
@@ -128,6 +129,9 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
 	if *getF && !*getU {
 		base.Fatalf("go get: cannot use -f flag without -u")
 	}
+	if cfg.Insecure {
+		fmt.Fprintf(os.Stderr, "go get: -insecure flag is deprecated; see 'go help get' for details\n")
+	}
 
 	// Disable any prompting for passwords by Git.
 	// Only has an effect for 2.3.0 or later, but avoiding
diff --git a/src/cmd/go/internal/modget/get.go b/src/cmd/go/internal/modget/get.go
index 0c501e3885..f7b5cfaf2e 100644
--- a/src/cmd/go/internal/modget/get.go
+++ b/src/cmd/go/internal/modget/get.go
@@ -115,9 +115,12 @@ require downgrading other dependencies, and 'go get' does
 this automatically as well.
 
 The -insecure flag permits fetching from repositories and resolving
-custom domains using insecure schemes such as HTTP. Use with caution. The
-GOINSECURE environment variable is usually a better alternative, since it
-provides control over which modules may be retrieved using an insecure scheme.
+custom domains using insecure schemes such as HTTP. Use with caution.
+This flag is deprecated and will be removed in a future version of go.
+The GOINSECURE environment variable is usually a better alternative, since
+it provides control over which modules may be retrieved using an insecure
+scheme. It should be noted that the -insecure flag also turns the module
+checksum validation off. GOINSECURE does not do that, use GONOSUMDB.
 See 'go help environment' for details.
 
 The second step is to download (if needed), build, and install
@@ -278,6 +281,9 @@ func runGet(ctx context.Context, cmd *base.Command, args []string) {
 	if *getM {
 		base.Fatalf("go get: -m flag is no longer supported; consider -d to skip building packages")
 	}
+	if cfg.Insecure {
+		fmt.Fprintf(os.Stderr, "go get: -insecure flag is deprecated; see 'go help get' for details\n")
+	}
 	modload.LoadTests = *getT
 
 	// Do not allow any updating of go.mod until we've applied
diff --git a/src/cmd/go/testdata/script/get_insecure_deprecated.txt b/src/cmd/go/testdata/script/get_insecure_deprecated.txt
new file mode 100644
index 0000000000..7f5f5c7877
--- /dev/null
+++ b/src/cmd/go/testdata/script/get_insecure_deprecated.txt
@@ -0,0 +1,21 @@
+# GOPATH: Set up
+env GO111MODULE=off
+
+# GOPATH: Fetch without insecure, no warning
+! go get test
+! stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# GOPATH: Fetch with insecure, should warn
+! go get -insecure test
+stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# Modules: Set up
+env GO111MODULE=on
+
+# Modules: Fetch without insecure, no warning
+! go get test
+! stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'
+
+# Modules: Fetch with insecure, should warn
+! go get -insecure test
+stderr 'go get: -insecure flag is deprecated; see ''go help get'' for details'