doc/go1.13: highlight need to set GOPRIVATE when using private repos

[AndersonQ]

What did you do?

I update to go1.13beta1 and used go mod tidy to download private dependencies and it din't work as I had not set GOPRIVATE.

I know it's documented under Tools > Modules > Environment variables. However besides myself other colleges had similar issues when using go 1.13 and I believe others would face similar problems when updating. Therefore I'd like to suggest to state in the Introduction to Go 1.13 section the need/introduction of GOPRIVATE.

[mvdan]

/cc @andybons @dmitshur @bcmills @jayconrod

[jayconrod]

I'd prefer not to change this in the release notes. We can't adequately explain GOPRIVATE without more than doubling the length of the introduction. The introduction already links to a documentation page that describes GOPRIVATE, and the description in the release notes themselves is only a little further down, right below ports. So this is already mentioned very prominently.

[mvdan]

The first GOPRIVATE mention is a full three pages into the changelog, at least on my laptop at the default zoom level; I do think it should be at least be mentioned/linked as a quick warning near the very top of the changelog.

I do think plenty of Go developers won't notice the importance of GOPRIVATE. In a way, the proxy now being a default is a breaking change, as they'd suddenly be leaking private information (such as import paths and version names of closed source modules) to the proxy.

[bcmills]

I agree with @jayconrod. The fact that we're now defaulting to the public checksum database is in the very first paragraph of text, and the need to configure something for private module dependencies follows directly from that.

In particular, the go command documentation linked in the very first paragraph of the release notes mentions GOPRIVATE in its second paragraph.

On the other hand, not everyone has private module dependencies. For example, users that have only “leaf” modules (that is, their own possibly-private module plus open-source dependencies) may not care about GOPRIVATE, because all of their private dependencies are already contained within the main module.

Also note that the paragraph describing GOPRIVATE in the release notes proper is also solidly above-the-fold relative to the Modules anchor.

It's true that the word GOPRIVATE is not above the fold in the release notes overall, but given that it is mentioned prominently in several adjacent locations and that it is only useful to a particular subset of users (those using the public proxy but with private module dependencies), I think it is appropriately positioned as-is.

CC @katiehockman

[katiehockman]

I don't have an issue with adding a sentence in that paragraph of Introduction to Go 1.13, especially if people are running into this problem already. Could say something like "If you are using private modules, see the documentation for configuring your environment."

If that sounds good, I'll make a PR.

[mvdan]

Yes, the main reason I asked @AndersonQ to file this bug is because he wasn't the first to miss the important piece of information after skimming the release notes for breaking changes.

[gopherbot]

Change https://golang.org/cl/191746 mentions this issue: doc/go1.13: add information about using private modules to the introduction

[andybons]

@gopherbot please create a cherrypick issue for 1.13

[andybons]

Misspelled cherrypick. Bleh.

@gopherbot please consider this for backport to 1.13, it is a documentation change.

[gopherbot]

Change https://golang.org/cl/191749 mentions this issue: doc/go1.13: add information about using private modules to the introduction

[gopherbot]

Backport issue(s) opened: #33846 (for 1.13).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.