Open oiooj opened 4 years ago
/cc @rsc @jayconrod @bcmills @FiloSottile @katiehockman
I think this is the same issue as in CL 223098.
I'd lean toward redacting go bug
but not go env
.
Ideally, passwords and secrets would be in ~/.netrc
, but I don't think that's adequately documented yet.
Yikes, I didn't realize those brackets would be percent-escaped. I think we need to fix web.Redact
... 😅
So, thinking about this some more:
go env
to report the actual environment in use..netrc
as we recommend, they won't have credentials in go env
in the first place, so it really doesn't matter..netrc
handling is fixed maybe we shouldn't allow credentials in GOPROXY
at all. Then there would be no question about whether we would print those credentials. (See #30610.)Change https://golang.org/cl/223757 mentions this issue: cmd/go/internal/web: Redacts any password with "xxxxx"
When a user submits an issue, we also need the user to file the output of
go env
(many users don't use go bug command), so we should replace any non-empty password in GOPROXY environment by default. The string form replaces password in the original URL with "[redacted]". Likego get -x
:We should only change the
go env
andgo bug
command, we can get the original config fromgo env GOPROXY
andgo env -json
at this time, since some tools today expect to parsego env GOPROXY
and use-json
option.