cmd/go: [modules + integration] per-goproxy disabling of any notary check

[nim-nim]

This report is part of a series, filled at the request of @mdempsky, focused at making Go modules integrator-friendly.

Please do not close or mark it as duplicate before making sure you’ve read and understood the general context. A lot of work went into identifying problems points precisely.

Needed feature

Go needs to allow disabling any notary check on specific goproxy sources (#31304)

The check disabling needs to be per-module source, not per-module-match or for all, like in GONOVERIFY.

Constrains

• the disabling needs to apply on specific goproxy sources

Motivation

The whole point of working in a trusted baseline mode is the ability to inject last-mile critical fixes in the third party modules used, and avoid lockdown while their upstream considers how it wants to fix identified problems. Therefore, any baseline module is likely not matching any external public notary hash. And this is not a problem.

Moreover, any module produced by intermediary go mod pack (issue #31302) calls can’t have been vouched for by any notary by construction:

• it has just been created within the same CI/CD job
• the CI/CD will typically block remote network calls.

Asking a remote notary to attest you can use files you’ve just produced yourself would be more than slightly masochistic.

However, just because one needs to disable notary checks for internal goproxy module sources, does not mean that one would like to disable verifications for other modules sources like the internet.

[seankhliao]

I believe this goes against go's security posture of allowing injection attacks.
We expect replacements to be explicit as replaces.