env dbname=localhost.localdev/sumdb

# disagreeing with the sumdb produces security errors
# (this also populates tiles on the sumdb server).
cp go.mod.orig go.mod
env GOSUMDB=$sumdb' '$proxy/sumdb-wrong
! go get rsc.io/quote
stderr 'go: rsc.io/quote@v1.5.2: verifying module: checksum mismatch'
stderr 'downloaded: h1:3fEy'
stderr 'localhost.localdev/sumdb: h1:wrong'
stderr 'SECURITY ERROR\nThis download does NOT match the one reported by the checksum server.'

# Security Policy

## Supported Versions

We support the past two Go releases (for example, Go 1.17.x and Go 1.18.x when Go 1.18.x is the latest stable release).

See https://go.dev/wiki/Go-Release-Cycle and in particular the
[Release Maintenance](https://go.dev/wiki/Go-Release-Cycle#release-maintenance)
part of that page.

## Reporting a Vulnerability

# hashes, but the overlaid file has the correct values. If
# the correct go.sum is used with the overlay, 'go get .' should
# not report a security error.
cd $WORK/gopath/src/overlay-sum-used
! go get .
stderr 'SECURITY ERROR'
! go mod verify
stderr 'SECURITY ERROR'
go get -overlay overlay.json .
go mod verify -overlay overlay.json
# Overlaid go.sum is not rewritten.

env GOPRIVATE GOPROXY GONOPROXY GOSUMDB GONOSUMDB
env dbname=localhost.localdev/sumdb

# disagree with sumdb fails
cp go.mod.orig go.mod
env GOSUMDB=$sumdb' '$proxy/sumdb-wrong
! go get rsc.io/quote
stderr 'SECURITY ERROR'

# GONOSUMDB bypasses sumdb, for rsc.io/quote, rsc.io/sampler, golang.org/x/text
env GONOSUMDB='*/quote,*/*mple*,golang.org/x'
go get rsc.io/quote
rm go.sum
env GOPRIVATE='*/quote,*/*mple*,golang.org/x'

the behavior you are seeing is confirmed as a bug or issue, it can easily be re-raised in the issue tracker.

## Filing issues

Sensitive security-related issues should be reported to [security@golang.org](mailto:******@****.***).
See the [security policy](https://golang.org/security) for details.

The recommended way to file an issue is by running `go bug`.
Otherwise, when filing an issue, make sure to answer these five questions:

-- want-error --
verifying rsc.io/sampler@v1.3.0/go.mod: checksum mismatch
	downloaded: h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
	$WORK${/}gopath${/}src${/}a${/}go.sum:     h1:U1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

[!GOOS:windows] stop
[!exec:icacls] skip
[!exec:powershell] skip

# Create $WORK\guest and give the Guests group full access.
# Files created within that directory will have different security attributes by default.
mkdir $WORK\guest
exec icacls $WORK\guest /grant '*S-1-5-32-546:(oi)(ci)f'

env TMP=$WORK\guest
env TEMP=$WORK\guest

# Build a binary using the guest directory as an intermediate
cd TestACL
go build -o main.exe main.go