FEATURE: Add --insecure (Was: Cannot detect VCS error on private repos)

[bjorn-tf]

We have private repos on bitbucket. To make them available and "go gettable" to our developers and CI servers we are using gorepos proxy.

For example, this is response to wget https://gorep.ourcompany.net/ourpackage?go-get=1:

<html>
  <head>
    <meta name="go-import" content="gorep.ourcompany.net/ourpackage git ssh://[email protected]/ourcompany/ourpackage">
  </head>
</html>

As far as i can see, glide just ignoring two last fields in content attribute, and returns warning:
[WARN] Problem setting version on gorep.ourcompany.net/ourpackage: Cannot detect VCS (flatten)

We are using glide version 0.8.2-2-gb07f081

[mattfarina]

@bjorn-tf Glide There are two places "go-import" is used.

1. When Glide attempts to retrieve the root package. I think this is what you are seeing.
2. When Mastermincs/vcs retrieves the package. vcs uses all 3 parts of the "go-import" statement to find the right location to the package. Cannot detect vcs is an error returned from the vcs package.

Do you already have a version of the dependent package checked out? Does it have the .git or other VCS directory in the root of the repo? I ask because Masterminds/vcs provides that message when it looks in the directory and can't find VCS information.

[mattfarina]

Also, you can use private repos with Glide.

package: foo/bar
import:
- package: github.com/private/package
  repo: [email protected]:private/package.git
  vcs: git

That will tell glide to checkout [email protected]:private/package.git using git and put it into github.com/private/package. The local user will need access to [email protected]:private/package.git and it can be anything the local user has access to with the VCS.

[bjorn-tf]

@mattfarina Thank you for fast response. I think that i found a problem - detectVcsFromRemote function:

• always tries to use https - but we are using http
• has no option to skip self-signed cert error

I think, that "insecure" flag can help here.

[mattfarina]

@bjorn-tf Does the --insecure flag solve the problem? Or, do you need the ability to work with a self-signed cert on https?

[bjorn-tf]

@mattfarina As far as i can see glide install know nothing about insecure flag, it just prints help message.
Yes, it will be great to have ability to work with http and self-signed certs on https.

[mattfarina]

The --insecure flag set the repo to be the http version of the url to the package. If you have http access what is the error?

[bjorn-tf]

glide install --insecure do nothing, just show help message

[mattfarina]

The --insecure flag is on glide get no glide install.

If you have an import like:

- package: ourcompany.net/example/package

you can update it to be (this is what glide get with --insecure does):

- package: ourcompany.net/example/package
  repo: http://ourcompany.net/example/package

or

- package: ourcompany.net/example/package
  repo: http://ourcompany.net/example/package
  vcs: git

if you know the VCS type.

[bjorn-tf]

I've tried glide --insecure get gorep.ourcopmany.net/package:
[WARN] Package "gorep.ourcompany.net/package" is already in glide.yaml. Skipping

Of course i can add proper repo for package to glide.yaml by hands, but it will not help, because package relies on other packages(located in other private repos) and glide will fail during install phase.

I suggest to add support of --insecure flag to glide install and glide update commands.

[mattfarina]

@bjorn-tf Now I understand the problem. Thanks for all the detail.

[mattfarina]

What we need to do is have an --insecure flag on the install and update commands to allow for automatically detecting insecure dependencies within all levels of the tree and allowing them to be fetched.

[charneykaye]

In my case also, we require an --insecure flag because we are using a private repository behind a firewall, that only offers HTTP and not HTTPS.

[danielec7]

I would really need this too.