Add an option to opt-in for disclosure of internal/private repository names, at least for ?go-get=1 query.

Problem to solve

It is impossible right now to invoke go get on internal/private GitLab repository and clone the project that way.

Further details

go get utility (from Go language) uses SCM-based imports natively, but for convenience, the suffixes like (.git, .hg, etc) after repository name (and before package path) are often omitted in import directives.

So there is a mechanism, which involves go get utility to make a HTTP request against import path + ?go-get=1 query, e.g.:

myprivategitlab.tld/mygroup/repo/package becomes http://myprivategitlab.tld/mygroup/repo/package?go-get=1, which supposed to return html meta "go-import", e.g.:

<html><head><meta name="go-import" content="myprivategitlab.tld/mygroup/repo git ssh://git@myprivategitlab.tld/mygroup/repo.git" /></head></html>

, denoting which part of import is a repository, which is a package and how to clone the repository to gain access to a package.

GitLab already supports this feature, but there some privacy concerns which are making it impossible to use when group or repository are marked as internal or private on GitLab, as instead of actual repo path, it returns last public group used on that path, making it impossible for go get to clone the repo and get the package.

This is worsen by the fact that go get do not possess any form of authentication.

I understand the concern about hiding names of private/internal projects in some cases, but not all users require so for all of their projects, so some options to opt-out from this mechanism are to be implemented.

Right now there is two common solutions to a problem, which are more-or-less hacks around GitLab and may be solved in a better way, by satisfying this proposal:

  • Use .git suffix in import paths and use something like git config --global url."git@myprivategitlab.tld:".insteadOf "https://myprivategitlab.tld/" to configure git globally to translate the schema.
  • Use some kind of reverse proxy (example for nginx here: https://gist.github.com/iamtakingiteasy/7cbc6e4baae5a9ff3aa879fa3789c8e1 ) in order to implement correct ?go-get=1 for specific groups or repositories

Proposal

I suggest to add an option to GitLab, allowing exposure of project names (be that instance-wide or per-project) for those who require such, maybe alongside with some additional filters, such as testing that query string is indeed "go-get=1", but thats not very important.

One other thing to consider is to add an option which clone url such import tag would present: https:// or ssh://git@ one, because in many cases, having ssh pubkey authentication would be more convenient than http authentication.

What does success look like, and how can we measure that?

Successful implementation of said feature would be some kind of a checkbox on instance/group/project, allowing for it's name to be exposed as indeed one hosted by current GitLab instance, but without leaking it's internal content, as public repository would do.

Links / references

gitlab-ce#37832 gitlab-ce#30785