cmd/go/internal/modfetch: unzip dependency files read-only
The Go community are accustomed to editing Go packages where they are
checked out in the GOPATH. With depedencies populated into the GOPATH by
vgo, editing the Go packages where they are is not the best practice.
This is because the path that the dependencies are written to within the
GOPATH are directories with explicit version names, and to change the
contents of the directory would cause the directory name to lie about
its contents.
Example:
~/go/src/v/github.com/owner/repo@v0.0.0-20180105044528-9d5d1c7387b7
The best practice with vgo is to manually checkout the project at
another path and add a replace directive to your Go module referencing
that local copy.
Because Go developers are accustomed to editing dependencies where go
get places them in the GOPATH, speaking from my own experience, they
will make the mistake of editing the files in these directories. IDEs
faciliate this mistake because most IDEs will allow you to find
references and go to definitions in dependencies.
Setting the file permissions of files checked out in the vgo path
communicates the intent and prevents developers from accidentally
editing those files.
Fixes golang/go#24111
Change-Id: I65bb07722d5093902965d2989e92dd39a9bd0020
Reviewed-on: https://go-review.googlesource.com/96978
Reviewed-by: Russ Cox <rsc@golang.org>
diff --git a/vendor/cmd/go/internal/modfetch/unzip.go b/vendor/cmd/go/internal/modfetch/unzip.go
index a216682..9d9e298 100644
--- a/vendor/cmd/go/internal/modfetch/unzip.go
+++ b/vendor/cmd/go/internal/modfetch/unzip.go
@@ -71,7 +71,7 @@
if err := os.MkdirAll(filepath.Dir(dst), 0777); err != nil {
return err
}
- w, err := os.Create(dst)
+ w, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0444)
if err != nil {
return fmt.Errorf("unzip %v: %v", zipfile, err)
}
