Hello!

I'm trying to use Fossil for hosting Golang modules.
Golang's toolchain copes with the public repository (more-or-less), but fails to clone from a private one.
It seems that Go does not pass to Fossil any clue about the username, and Fossil just gives up cloning without it.

Have anybody already succeed in the task described? Your advise is much appreciated!
Is there some tricky way to instruct Fossil to use a particular credentials for a particular repo (as Git does)?
Or may be it is possible to pass a username in the environment?

For testing I've setup two repositories: one public and another privite, which host two distinct modules.
Everyone is invited to test these two repositories against their Go toolchain.

Do you get user/password prompt ... when doing GOPRIVATE?

No. GOPRIVATE tells Go to bypass centralized proxies and checksum DB:

$ go help module-private | head -16

The go command defaults to downloading modules from the public Go module mirror at proxy.golang.org. It also defaults to validating downloaded modules, regardless of source, against the public Go checksum database at sum.golang.org. These defaults work well for publicly available source code.

The GOPRIVATE environment variable controls which modules the go command considers to be private (not available publicly) and should therefore not use the proxy or checksum database. The variable is a comma-separated list of glob patterns (in the syntax of Go's path.Match) of module path prefixes. For example,

GOPRIVATE=*.corp.example.com,rsc.io/private

causes the go command to treat as private any module with a path prefix matching either pattern, including git.corp.example.com/xyzzy, rsc.io/private, and rsc.io/private/quux.

It doesn't look like Fossil would prompt you for username/pass when the remote is private ...

Yes, that's the problem, Fossil gives up with Error: not authorized to clone.
I think there should be a (Go-compatible) way to tell Fossil not to give up, but instead try to clone with some credentials.
I can suggest some possibilities:

1. If the remote URL has @ but does not actually has a username (e.g. https://@testbed.sha3.link/go-module/private) then Fossil asks for both username and password (and not just password).

2. Alike Go, Fossil consults some environment variable (e.g. FOSSIL_PRIVATE) for a list of glob patterns of private repositories.

3. Alike Git, Fossil maintains a set of rules for mangling URLs of the remotes.

Looks like you're facing a common problem in setting up access to private Go modules hosted at various VCS. In case of Git/GitHub it appears the most recommended solution is to access your repo via SSH. This means setting up your SSH keys so that no password is needed.

Fossil also supports access by SSH (see "fossil help clone"). However, Golang support for Fossil VCS allows only access by HTTP and HTTPS. In case of Git, there's a special handling to try access by SSH, when HTTP/HTTPS fails. Additionally, in case of Git the Golang supports a special expression: "user@host" to signal an intent to use ssh:// schema for access.

You may take a look at https://github.com/golang/go/blob/master/src/cmd/go/internal/get/vcs.go. This part is for vcsGit, there's a respective function for vcsFossil in that file too.

Theoretically, it could be possible to add a similar implementation for vcsFossil as is done for vcsGit, so that vcsFossil would also recognize the user@host for ssh:// schema. Well, given someone interested has the needed Golang proficiency...

Thank you for the findings.

Fossil also supports access by SSH ...

I would rather to avoid the SSH here. Compared to Fossil, it seems to me significantly more tricky to lock-down and maintain unprivileged (rootless) SSH-server within slim chroot jail...

Furthermore, if a repository is accessed via SSH then the whole content of server's repository file becomes exposed to a client for reading (or even writing), isn't it?
If so, then all the benefits of Fossil's fine-grained access control system are lost :-(

Also I'm afraid that it would take forever to persuade Google to make the appropriate fix...

Yes, that's the problem, Fossil gives up with Error: not authorized to clone.

You didn't mention if you tried adding user@ to the URL like

go get test@estbed.sha3.link/go-module/private

Underneath it should call "fossil" with http/https proto. Fossil will then prompt for password. Do you get the password prompt this way?

No way:

$ go get test@testbed.sha3.link/go-module/private
go get test@testbed.sha3.link/go-module/private: package test is not in GOROOT (/usr/lib/go-1.14/src/test)

Go interprets it as module named "test" of version testbed.sha3.link/go-module/private

I did not test it yet, but I think that if a username were embedded into the corresponding <meta> element of a page then Fossil would ask for the corresponding password. However in this case only one predefined username (and password) is possible, which is unfortunate but better than nothing.

I was wrong. It seems that Go somehow prevents Fossil from asking for password:

$ go build -v use-private.go
go: finding module for package testbed.sha3.link/go-module/private/goodbye
get "testbed.sha3.link/go-module/private": found meta tag get.metaImport{Prefix:"testbed.sha3.link/go-module/private", VCS:"fossil", RepoRoot:"https://cloning@testbed.sha3.link/go-module/private/"} at //testbed.sha3.link/go-module/private?go-get=1
use-private.go:5:2: fossil clone -- https://cloning@testbed.sha3.link/go-module/private/ .fossil in $GOPATH/pkg/mod/cache/vcs/be27b9e4dea0a09d876836b0d02ac0963fc25160851a8aef4cd47adebc223dda: exit status 1:
	missing or incorrect password for user "cloning"

Very unfortunate :-(