Hi, As Go1.21 is to be released recently, I'd like to know what value we shall set for GOTOOLCHAIN env.
The default value is auto, which means it will download the newer toolchain if go.mod ——_explicitly_ says so. See https://go.dev/doc/toolchain for details. Please be aware that it doesn't affect how we build Go packages, as dh-golang will set GOTOOLCHAIN to local to prevent it from accessing the network. So here we only discuss the user experience when using the Go toolchain itself. At #1040507, users are concerned if the downloaded binaries are cryptographically verified. Yes, they are verified the same as Go libraries. If you disable GOSUMDB, it will not be verified, but this means all the Go libraries are not verified as well and we won't disable that by default. Users may have concerns about privacy, but there are already envs like GOPROXY, which is set to https://proxy.golang.org. I don't see much value to change GOPROXY to "off" or other values, as it really hurts the development experience. So if users would change GOPROXY env for privacy reason, I would expect them to change GOTOOLCHAIN as well. (Actually if GOPROXY is set to off, go won't download newer toolchains.) Also I don't see much security concerns as if upstream does evil in their binary releases I would be much concerned about their source which is much harder to audit. Another thought is we always release very old versions in Debian stable. For example we just released Debian 12, which has Go1.19, but Go1.19 is to be EOL in the next few weeks when Go1.21 is released. Allowing Go to download a newer toolchain by default would just make such an old version more useful... I incline to leave the GOTOOLCHAIN value as is, any thoughts? -- Shengjing Zhu
