[release-branch.go1.13] go1.13.8

Change-Id: Ia174ccd8d5c26f44aeea188113e292f5048ec873
Reviewed-on: https://go-review.googlesource.com/c/go/+/219219
Run-TryBot: Alexander Rakoczy <alex@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

CONTRIBUTORS

@@ -76,6 +76,7 @@ Alan Donovan <adonovan@google.com>
 Alan Shreve <alan@inconshreveable.com>
 Albert Nigmatzianov <albertnigma@gmail.com>
 Albert Strasheim <fullung@gmail.com>
+Albert Teoh <albert.teoh@gmail.com>
 Albert Yu <yukinying@gmail.com>
 Alberto Bertogli <albertito@blitiri.com.ar>
 Alberto Donizetti <alb.donizetti@gmail.com>
@@ -140,6 +141,7 @@ Ali Rizvi-Santiago <arizvisa@gmail.com>
 Aliaksandr Valialkin <valyala@gmail.com>
 Alif Rachmawadi <subosito@gmail.com>
 Allan Simon <allan.simon@supinfo.com>
+Allen Li <ayatane@google.com>
 Alok Menghrajani <alok.menghrajani@gmail.com>
 Aman Gupta <aman@tmm1.net>
 Amir Mohammad Saied <amir@gluegadget.com>
@@ -147,6 +149,7 @@ Amr Mohammed <merodiro@gmail.com>
 Amrut Joshi <amrut.joshi@gmail.com>
 Anand K. Mistry <anand@mistry.ninja>
 Anders Pearson <anders@columbia.edu>
+Anderson Queiroz <contato@andersonq.eti.br>
 André Carvalho <asantostc@gmail.com>
 Andre Nathan <andrenth@gmail.com>
 Andrea Nodari <andrea.nodari91@gmail.com>
@@ -182,6 +185,7 @@ Andrew Radev <andrey.radev@gmail.com>
 Andrew Skiba <skibaa@gmail.com>
 Andrew Stribblehill <ads@wompom.org>
 Andrew Szeto <andrew@jabagawee.com>
+Andrew Todd <andrew.todd@wework.com>
 Andrew Werner <andrew@upthere.com> <awerner32@gmail.com>
 Andrew Wilkins <axwalk@gmail.com>
 Andrew Williams <williams.andrew@gmail.com>
@@ -235,6 +239,7 @@ Arnaud Ysmal <arnaud.ysmal@gmail.com>
 Arne Hormann <arnehormann@gmail.com>
 Arnout Engelen <arnout@bzzt.net>
 Aron Nopanen <aron.nopanen@gmail.com>
+Artem Kolin <artemkaxboy@gmail.com>
 Arthur Fabre <arthur@arthurfabre.com>
 Arthur Khashaev <arthur@khashaev.ru>
 Artyom Pervukhin <artyom.pervukhin@gmail.com>
@@ -284,6 +289,7 @@ Benny Siegert <bsiegert@gmail.com>
 Benoit Sigoure <tsunanet@gmail.com>
 Berengar Lehr <Berengar.Lehr@gmx.de>
 Berkant Ipek <41230766+0xbkt@users.noreply.github.com>
+Bharath Thiruveedula <tbharath91@gmail.com>
 Bill Neubauer <wcn@golang.org> <wcn@google.com> <bill.neubauer@gmail.com>
 Bill O'Farrell <billo@ca.ibm.com>
 Bill Prin <waprin@google.com>
@@ -401,6 +407,7 @@ Chris Zou <chriszou@ca.ibm.com>
 Christian Alexander <christian@linux.com>
 Christian Couder <chriscool@tuxfamily.org>
 Christian Himpel <chressie@googlemail.com> <chressie@gmail.com>
+Christian Muehlhaeuser <muesli@gmail.com>
 Christian Pellegrin <chri@evolware.org>
 Christian R. Petrin <christianpetrin@gmail.com>
 Christine Hansmann <chhansmann@gmail.com>
@@ -481,6 +488,7 @@ Daria Kolistratova <daria.kolistratova@intel.com>
 Darien Raymond <admin@v2ray.com>
 Darren Elwood <darren@textnode.com>
 Darren Grant <darren.e.grant@gmail.com>
+Darren McCleary <darren.rmc@gmail.com>
 Darshan Parajuli <parajulidarshan@gmail.com>
 Datong Sun <dndx@idndx.com>
 Dave Borowitz <dborowitz@google.com>
@@ -501,6 +509,7 @@ David Chase <drchase@google.com>
 David Covert <davidhcovert@gmail.com>
 David Crawshaw <david.crawshaw@zentus.com> <crawshaw@google.com> <crawshaw@golang.org>
 David du Colombier <0intro@gmail.com>
+David Finkel <david.finkel@gmail.com>
 David Forsythe <dforsythe@gmail.com>
 David G. Andersen <dave.andersen@gmail.com>
 David Glasser <glasser@meteor.com>
@@ -594,6 +603,7 @@ Dustin Shields-Cloues <dcloues@gmail.com>
 Dvir Volk <dvir@everything.me> <dvirsky@gmail.com>
 Dylan Waits <dylan@waits.io>
 Edan Bedrik <3d4nb3@gmail.com>
+Eddie Scholtz <escholtz@google.com>
 Eden Li <eden.li@gmail.com>
 Eduard Urbach <e.urbach@gmail.com>
 Eduardo Ramalho <eduardo.ramalho@gmail.com>
@@ -763,9 +773,12 @@ GitHub User @pityonline (438222) <pityonline@gmail.com>
 GitHub User @pytimer (17105586) <lixin20101023@gmail.com>
 GitHub User @saitarunreddy (21041941) <saitarunreddypalla@gmail.com>
 GitHub User @shogo-ma (9860598) <Choroma194@gmail.com>
+GitHub User @tatsumack (4510569) <tatsu.mack@gmail.com>
 GitHub User @tell-k (26263) <ffk2005@gmail.com>
 GitHub User @uhei (2116845) <uhei@users.noreply.github.com>
 GitHub User @uropek (39370426) <uropek@gmail.com>
+GitHub User @utkarsh-extc (53217283) <53217283+utkarsh-extc@users.noreply.github.com>
+GitHub User @yuanhh (1298735) <yuan415030@gmail.com>
 GitHub User @ZZMarquis (7624583) <zhonglingjian3821@163.com>
 Giulio Iotti <dullgiulio@gmail.com>
 Giulio Micheloni <giulio.micheloni@gmail.com>
@@ -861,6 +874,7 @@ Igor Bernstein <igorbernstein@google.com>
 Igor Dolzhikov <bluesriverz@gmail.com>
 Igor Vashyst <ivashyst@gmail.com>
 Igor Zhilianin <igor.zhilianin@gmail.com>
+Illya Yalovyy <yalovoy@gmail.com>
 Ilya Tocar <ilya.tocar@intel.com>
 INADA Naoki <songofacandy@gmail.com>
 Inanc Gumus <m@inanc.io>
@@ -905,6 +919,7 @@ James Clarke <jrtc27@jrtc27.com>
 James Cowgill <James.Cowgill@imgtec.com>
 James Craig Burley <james-github@burleyarch.com>
 James David Chalfant <james.chalfant@gmail.com>
+James Eady <jmeady@google.com>
 James Fysh <james.fysh@gmail.com>
 James Gray <james@james4k.com>
 James Hartig <fastest963@gmail.com>
@@ -937,6 +952,7 @@ Jan Lehnardt <jan@apache.org>
 Jan Mercl <0xjnml@gmail.com> <befelemepeseveze@gmail.com>
 Jan Newmarch <jan.newmarch@gmail.com>
 Jan Pilzer <jan.pilzer@gmx.de>
+Jan Steinke <jan.steinke@gmail.com>
 Jan Ziak <0xe2.0x9a.0x9b@gmail.com>
 Jani Monoses <jani.monoses@ubuntu.com> <jani.monoses@gmail.com>
 Jannis Andrija Schnitzer <jannis@schnitzer.im>
@@ -954,6 +970,7 @@ Jason Smale <jsmale@zendesk.com>
 Jason Travis <infomaniac7@gmail.com>
 Jason Wangsadinata <jwangsadinata@gmail.com>
 Javier Kohen <jkohen@google.com>
+Javier Revillas <jrevillas@massivedynamic.io>
 Javier Segura <javism@gmail.com>
 Jay Conrod <jayconrod@google.com>
 Jay Taylor <outtatime@gmail.com>
@@ -1071,6 +1088,8 @@ Jordan Krage <jmank88@gmail.com>
 Jordan Lewis <jordanthelewis@gmail.com>
 Jordan Liggitt <liggitt@google.com>
 Jordan Rhee <jordanrh@microsoft.com>
+Jordi Martin <jordimartin@gmail.com>
+Jorge Araya <jorgejavieran@yahoo.com.mx>
 Jos Visser <josv@google.com>
 Jose Luis Vázquez González <josvazg@gmail.com>
 Joseph Bonneau <jcb@google.com>
@@ -1114,6 +1133,7 @@ Justin Gracenin <jgracenin@gmail.com>
 Justin Li <git@justinli.net>
 Justin Nuß <nuss.justin@gmail.com>
 Justyn Temme <justyntemme@gmail.com>
+Kelly Heller <pestophagous@gmail.com>
 Kai Backman <kaib@golang.org>
 Kai Dong <dokia2357@gmail.com>
 Kai Trukenmüller <ktye78@gmail.com>
@@ -1159,6 +1179,7 @@ Kenta Mori <zoncoen@gmail.com>
 Ketan Parmar <ketanbparmar@gmail.com>
 Kevin Ballard <kevin@sb.org>
 Kevin Burke <kev@inburke.com>
+Kevin Gillette <extemporalgenome@gmail.com>
 Kevin Kirsche <kev.kirsche@gmail.com>
 Kevin Klues <klueska@gmail.com> <klueska@google.com>
 Kevin Malachowski <chowski@google.com>
@@ -1284,6 +1305,7 @@ Marius A. Eriksen <marius@grailbio.com>
 Marius Nuennerich <mnu@google.com>
 Mark Adams <mark@markadams.me>
 Mark Bucciarelli <mkbucc@gmail.com>
+Mark Glines <mark@glines.org>
 Mark Harrison <marhar@google.com>
 Mark Percival <m@mdp.im>
 Mark Pulford <mark@kyne.com.au>
@@ -1480,6 +1502,7 @@ Muir Manders <muir@mnd.rs>
 Mura Li <mura_li@castech.com.tw>
 Mykhailo Lesyk <mikhail@lesyk.org>
 Nan Deng <monnand@gmail.com>
+Nao Yonashiro <owan.orisano@gmail.com>
 Naoki Kanatani <k12naoki@gmail.com>
 Nate Wilkinson <nathanwilk7@gmail.com>
 Nathan Cantelmo <n.cantelmo@gmail.com>
@@ -1566,6 +1589,7 @@ Paolo Giarrusso <p.giarrusso@gmail.com>
 Paolo Martini <mrtnpaolo@gmail.com>
 Parker Moore <parkrmoore@gmail.com>
 Parminder Singh <parmsingh101@gmail.com>
+Pascal Dierich <pascal@pascaldierich.com>
 Pascal S. de Kloe <pascal@quies.net>
 Pat Moroney <pat@pat.email>
 Patrick Barker <barkerp@vmware.com>
@@ -1658,6 +1682,7 @@ Prasanna Swaminathan <prasanna@mediamath.com>
 Prashant Varanasi <prashant@prashantv.com>
 Pravendra Singh <hackpravj@gmail.com>
 Preetam Jinka <pj@preet.am>
+Pure White <wu.purewhite@gmail.com>
 Qais Patankar <qaisjp@gmail.com>
 Qiuxuan Zhu <ilsh1022@gmail.com>
 Quan Tran <qeed.quan@gmail.com>
@@ -1774,6 +1799,7 @@ Sad Pencil <qh06@qq.com>
 Sai Cheemalapati <saicheems@google.com>
 Sakeven Jiang <jc5930@sina.cn>
 Salmān Aljammāz <s@0x65.net>
+Sam Arnold <sarnold64@bloomberg.net>
 Sam Boyer <tech@samboyer.org>
 Sam Ding <samding@ca.ibm.com>
 Sam Hug <samuel.b.hug@gmail.com>
@@ -1785,6 +1811,7 @@ Sami Pönkänen <sami.ponkanen@gmail.com>
 Samuel Kelemen <SCKelemen@users.noreply.github.com>
 Samuel Tan <samueltan@google.com>
 Samuele Pedroni <pedronis@lucediurna.net>
+Sander van Harmelen <sander@vanharmelen.nl>
 Sanjay Menakuru <balasanjay@gmail.com>
 Santhosh Kumar Tekuri <santhosh.tekuri@gmail.com>
 Sarah Adams <shadams@google.com>
@@ -1814,6 +1841,7 @@ Sebastien Williams-Wynn <sebastien@cytora.com>
 Segev Finer <segev208@gmail.com>
 Seiji Takahashi <timaki.st@gmail.com>
 Sergei Skorobogatov <skorobo@rambler.ru>
+Sergei Zagurskii <gvozdoder@gmail.com>
 Sergey 'SnakE' Gromov <snake.scaly@gmail.com>
 Sergey Arseev <sergey.arseev@intel.com>
 Sergey Dobrodey <sergey.dobrodey@synesis.ru>
@@ -1845,6 +1873,7 @@ Shijie Hao <haormj@gmail.com>
 Shinji Tanaka <shinji.tanaka@gmail.com>
 Shintaro Kaneko <kaneshin0120@gmail.com>
 Shivakumar GN <shivakumar.gn@gmail.com>
+Shivani Singhal <shivani.singhal2804@gmail.com>
 Shivansh Rai <shivansh@freebsd.org>
 Shubham Sharma <shubham.sha12@gmail.com>
 Shun Fan <sfan@google.com>
@@ -1865,6 +1894,7 @@ StalkR <stalkr@stalkr.net>
 Stan Schwertly <stan@schwertly.com>
 Stanislav Afanasev <php.progger@gmail.com>
 Steeve Morin <steeve.morin@gmail.com>
+Stefan Baebler <sbaebler@outbrain.com>
 Stefan Nilsson <snilsson@nada.kth.se> <trolleriprofessorn@gmail.com>
 Stepan Shabalin <neverliberty@gmail.com>
 Stephan Renatus <srenatus@chef.io>
@@ -1951,6 +1981,7 @@ Thomas Wanielista <tomwans@gmail.com>
 Thorben Krueger <thorben.krueger@gmail.com>
 Thordur Bjornsson <thorduri@secnorth.net>
 Tiago Queiroz <contato@tiago.eti.br>
+Tianon Gravi <admwiggin@gmail.com>
 Tilman Dilo <tilman.dilo@gmail.com>
 Tim Cooijmans <timcooijmans@gmail.com>
 Tim Cooper <tim.cooper@layeh.com>
@@ -1991,6 +2022,7 @@ Tony Walker <walkert.uk@gmail.com>
 Tooru Takahashi <tooru.takahashi134@gmail.com>
 Tor Andersson <tor.andersson@gmail.com>
 Tormod Erevik Lea <tormodlea@gmail.com>
+Toshihiro Shiino <shiino.toshihiro@gmail.com>
 Toshiki Shima <hayabusa1419@gmail.com>
 Totoro W <tw19881113@gmail.com>
 Travis Bischel <travis.bischel@gmail.com>
@@ -2052,6 +2084,7 @@ Volker Dobler <dr.volker.dobler@gmail.com>
 Volodymyr Paprotski <vpaprots@ca.ibm.com>
 W. Trevor King <wking@tremily.us>
 Wade Simmons <wade@wades.im>
+Wagner Riffel <wgrriffel@gmail.com>
 Walter Poupore <wpoupore@google.com>
 Wander Lairson Costa <wcosta@mozilla.com>
 Warren Fernandes <warren.f.fernandes@gmail.com>

VERSION

@@ -0,0 +1 @@
+go1.13.8

doc/contrib.html

@@ -34,6 +34,7 @@ We encourage all Go users to subscribe to
 <p>A <a href="/doc/devel/release.html">summary</a> of the changes between Go releases. Notes for the major releases:</p>
 
 <ul>
+	<li><a href="/doc/go1.13">Go 1.13</a> <small>(September 2019)</small></li>
 	<li><a href="/doc/go1.12">Go 1.12</a> <small>(February 2019)</small></li>
 	<li><a href="/doc/go1.11">Go 1.11</a> <small>(August 2018)</small></li>
 	<li><a href="/doc/go1.10">Go 1.10</a> <small>(February 2018)</small></li>

doc/devel/release.html

@@ -23,6 +23,53 @@ in supported releases as needed by issuing minor revisions
 (for example, Go 1.6.1, Go 1.6.2, and so on).
 </p>
 
+<h2 id="go1.13">go1.13 (released 2019/09/03)</h2>
+
+<p>
+Go 1.13 is a major release of Go.
+Read the <a href="/doc/go1.13">Go 1.13 Release Notes</a> for more information.
+</p>
+
+<h3 id="go1.13.minor">Minor revisions</h3>
+
+<p>
+go1.13.1 (released 2019/09/25) includes security fixes to the
+<code>net/http</code> and <code>net/textproto</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.1+label%3ACherryPickApproved">Go
+1.13.1 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.13.2 (released 2019/10/17) includes security fixes to the
+<code>crypto/dsa</code> package and the compiler.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.2+label%3ACherryPickApproved">Go
+1.13.2 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.13.3 (released 2019/10/17) includes fixes to the go command,
+the toolchain, the runtime, <code>syscall</code>, <code>net</code>,
+<code>net/http</code>, and <code>crypto/ecdsa</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.3+label%3ACherryPickApproved">Go
+1.13.3 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.13.4 (released 2019/10/31) includes fixes to the <code>net/http</code> and
+<code>syscall</code> packages. It also fixes an issue on macOS 10.15 Catalina
+where the non-notarized installer and binaries were being
+<a href="https://golang.org/issue/34986">rejected by Gatekeeper</a>.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.4+label%3ACherryPickApproved">Go
+1.13.4 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.13.5 (released 2019/12/04) includes fixes to the go command, the runtime,
+the linker, and the <code>net/http</code> package. See the
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.5+label%3ACherryPickApproved">Go
+1.13.5 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.12">go1.12 (released 2019/02/25)</h2>
 
 <p>
@@ -36,7 +83,7 @@ Read the <a href="/doc/go1.12">Go 1.12 Release Notes</a> for more information.
 go1.12.1 (released 2019/03/14) includes fixes to cgo, the compiler, the go
 command, and the <code>fmt</code>, <code>net/smtp</code>, <code>os</code>,
 <code>path/filepath</code>, <code>sync</code>, and <code>text/template</code>
-packages. See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.1">Go
+packages. See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.1+label%3ACherryPickApproved">Go
 1.12.1 milestone</a> on our issue tracker for details.
 </p>
 
@@ -44,7 +91,7 @@ packages. See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1
 go1.12.2 (released 2019/04/05) includes fixes to the compiler, the go
 command, the runtime, and the <code>doc</code>, <code>net</code>,
 <code>net/http/httputil</code>, and <code>os</code> packages. See the
-<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.2">Go
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.2+label%3ACherryPickApproved">Go
 1.12.2 milestone</a> on our issue tracker for details.
 </p>
 
@@ -65,7 +112,7 @@ Only Linux users who hit this issue need to update.
 <p>
 go1.12.5 (released 2019/05/06) includes fixes to the compiler, the linker,
 the go command, the runtime, and the <code>os</code> package. See the
-<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.5">Go
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.5+label%3ACherryPickApproved">Go
 1.12.5 milestone</a> on our issue tracker for details.
 </p>
 
@@ -73,21 +120,21 @@ the go command, the runtime, and the <code>os</code> package. See the
 go1.12.6 (released 2019/06/11) includes fixes to the compiler, the linker,
 the go command, and the <code>crypto/x509</code>, <code>net/http</code>, and
 <code>os</code> packages. See the
-<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.6">Go
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.6+label%3ACherryPickApproved">Go
 1.12.6 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.12.7 (released 2019/07/08) includes fixes to cgo, the compiler,
 and the linker.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.7">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.7+label%3ACherryPickApproved">Go
 1.12.7 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.12.8 (released 2019/08/13) includes security fixes to the
 <code>net/http</code> and <code>net/url</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.8">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.8+label%3ACherryPickApproved">Go
 1.12.8 milestone</a> on our issue tracker for details.
 </p>
 
@@ -98,6 +145,40 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.9+labe
 1.12.9 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.12.10 (released 2019/09/25) includes security fixes to the
+<code>net/http</code> and <code>net/textproto</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.10+label%3ACherryPickApproved">Go
+1.12.10 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.12.11 (released 2019/10/17) includes security fixes to the
+<code>crypto/dsa</code> package.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.11+label%3ACherryPickApproved">Go
+1.12.11 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.12.12 (released 2019/10/17) includes fixes to the go command,
+runtime, <code>syscall</code> and <code>net</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.12+label%3ACherryPickApproved">Go
+1.12.12 milestone</a> on our issue tracker for details.
+</p>
+
+<p>
+go1.12.13 (released 2019/10/31) fixes an issue on macOS 10.15 Catalina
+where the non-notarized installer and binaries were being
+<a href="https://golang.org/issue/34986">rejected by Gatekeeper</a>.
+Only macOS users who hit this issue need to update.
+</p>
+
+<p>
+go1.12.14 (released 2019/12/04) includes a fix to the runtime. See
+the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.14+label%3ACherryPickApproved">Go
+1.12.14 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.11">go1.11 (released 2018/08/24)</h2>
 
 <p>
@@ -112,7 +193,7 @@ go1.11.1 (released 2018/10/01) includes fixes to the compiler, documentation, go
 command, runtime, and the <code>crypto/x509</code>, <code>encoding/json</code>,
 <code>go/types</code>, <code>net</code>, <code>net/http</code>, and
 <code>reflect</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.1">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.1+label%3ACherryPickApproved">Go
 1.11.1 milestone</a> on our issue tracker for details.
 </p>
 
@@ -120,14 +201,14 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.1">Go
 go1.11.2 (released 2018/11/02) includes fixes to the compiler, linker,
 documentation, go command, and the <code>database/sql</code> and
 <code>go/types</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.2">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.2+label%3ACherryPickApproved">Go
 1.11.2 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.11.3 (released 2018/12/12) includes three security fixes to "go get" and
 the <code>crypto/x509</code> package.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.3">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.3+label%3ACherryPickApproved">Go
 1.11.3 milestone</a> on our issue tracker for details.
 </p>
 
@@ -144,7 +225,7 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.4+labe
 <p>
 go1.11.5 (released 2019/01/23) includes a security fix to the
 <code>crypto/elliptic</code> package.  See
-the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.5">Go
+the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.5+label%3ACherryPickApproved">Go
 1.11.5 milestone</a> on our issue tracker for details.
 </p>
 
@@ -152,14 +233,14 @@ the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.5">Go
 go1.11.6 (released 2019/03/14) includes fixes to cgo, the compiler, linker,
 runtime, go command, and the <code>crypto/x509</code>, <code>encoding/json</code>,
 <code>net</code>, and <code>net/url</code> packages. See the
-<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.6">Go
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.6+label%3ACherryPickApproved">Go
 1.11.6 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.11.7 (released 2019/04/05) includes fixes to the runtime and the
 <code>net</code> packages. See the
-<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.7">Go
+<a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.7+label%3ACherryPickApproved">Go
 1.11.7 milestone</a> on our issue tracker for details.
 </p>
 
@@ -179,26 +260,26 @@ Only Linux users who hit this issue need to update.
 
 <p>
 go1.11.10 (released 2019/05/06) includes fixes to the runtime and the linker.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.10">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.10+label%3ACherryPickApproved">Go
 1.11.10 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.11.11 (released 2019/06/11) includes a fix to the <code>crypto/x509</code> package.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.11">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.11+label%3ACherryPickApproved">Go
 1.11.11 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.11.12 (released 2019/07/08) includes fixes to the compiler and the linker.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.12">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.12+label%3ACherryPickApproved">Go
 1.11.12 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.11.13 (released 2019/08/13) includes security fixes to the
 <code>net/http</code> and <code>net/url</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.13">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.11.13+label%3ACherryPickApproved">Go
 1.11.13 milestone</a> on our issue tracker for details.
 </p>
 
@@ -216,14 +297,14 @@ go1.10.1 (released 2018/03/28) includes fixes to the compiler, runtime, and the
 <code>archive/zip</code>, <code>crypto/tls</code>, <code>crypto/x509</code>,
 <code>encoding/json</code>, <code>net</code>, <code>net/http</code>, and
 <code>net/http/pprof</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.1">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.1+label%3ACherryPickApproved">Go
 1.10.1 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.10.2 (released 2018/05/01) includes fixes to the compiler, linker, and go
 command.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.2">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.2+label%3ACherryPickApproved">Go
 1.10.2 milestone</a> on our issue tracker for details.
 </p>
 
@@ -232,7 +313,7 @@ go1.10.3 (released 2018/06/05) includes fixes to the go command, and the
 <code>crypto/tls</code>, <code>crypto/x509</code>, and <code>strings</code> packages.
 In particular, it adds <a href="https://go.googlesource.com/go/+/d4e21288e444d3ffd30d1a0737f15ea3fc3b8ad9">
 minimal support to the go command for the vgo transition</a>.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.3">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.3+label%3ACherryPickApproved">Go
 1.10.3 milestone</a> on our issue tracker for details.
 </p>
 
@@ -240,14 +321,14 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.3">Go
 go1.10.4 (released 2018/08/24) includes fixes to the go command, linker, and the
 <code>net/http</code>, <code>mime/multipart</code>, <code>ld/macho</code>,
 <code>bytes</code>, and <code>strings</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.4">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.4+label%3ACherryPickApproved">Go
 1.10.4 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.10.5 (released 2018/11/02) includes fixes to the go command, linker, runtime
 and the <code>database/sql</code> package.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.5">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.5+label%3ACherryPickApproved">Go
 1.10.5 milestone</a> on our issue tracker for details.
 </p>
 
@@ -255,7 +336,7 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.5">Go
 go1.10.6 (released 2018/12/12) includes three security fixes to "go get" and
 the <code>crypto/x509</code> package.
 It contains the same fixes as Go 1.11.3 and was released at the same time.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.6">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.6+label%3ACherryPickApproved">Go
 1.10.6 milestone</a> on our issue tracker for details.
 </p>
 
@@ -270,7 +351,7 @@ Go 1.10.7 milestone</a> on our issue tracker for details.
 <p>
 go1.10.8 (released 2019/01/23) includes a security fix to the
 <code>crypto/elliptic</code> package.  See
-the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.8">Go
+the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.10.8+label%3ACherryPickApproved">Go
 1.10.8 milestone</a> on our issue tracker for details.
 </p>
 
@@ -285,7 +366,7 @@ Read the <a href="/doc/go1.9">Go 1.9 Release Notes</a> for more information.
 
 <p>
 go1.9.1 (released 2017/10/04) includes two security fixes.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.1">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.1+label%3ACherryPickApproved">Go
 1.9.1 milestone</a> on our issue tracker for details.
 </p>
 
@@ -296,7 +377,7 @@ and the <code>crypto/x509</code>, <code>database/sql</code>, <code>log</code>,
 and <code>net/smtp</code> packages.
 It includes a fix to a bug introduced in Go 1.9.1 that broke <code>go</code> <code>get</code>
 of non-Git repositories under certain conditions.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.2">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.2+label%3ACherryPickApproved">Go
 1.9.2 milestone</a> on our issue tracker for details.
 </p>
 
@@ -304,26 +385,26 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.2">Go
 go1.9.3 (released 2018/01/22) includes fixes to the compiler, runtime,
 and the <code>database/sql</code>, <code>math/big</code>, <code>net/http</code>,
 and <code>net/url</code> packages.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.3">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.3+label%3ACherryPickApproved">Go
 1.9.3 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.9.4 (released 2018/02/07) includes a security fix to “go get”.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.4">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.4+label%3ACherryPickApproved">Go
 1.9.4</a> milestone on our issue tracker for details.
 </p>
 
 <p>
 go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and
 <code>net/http/pprof</code> package.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.5+label%3ACherryPickApproved">Go
 1.9.5 milestone</a> on our issue tracker for details.
 </p>
 
 <p>
 go1.9.6 (released 2018/05/01) includes fixes to the compiler and go command.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.6">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.6+label%3ACherryPickApproved">Go
 1.9.6 milestone</a> on our issue tracker for details.
 </p>
 
@@ -332,7 +413,7 @@ go1.9.7 (released 2018/06/05) includes fixes to the go command, and the
 <code>crypto/x509</code>, and <code>strings</code> packages.
 In particular, it adds <a href="https://go.googlesource.com/go/+/d4e21288e444d3ffd30d1a0737f15ea3fc3b8ad9">
 minimal support to the go command for the vgo transition</a>.
-See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.7">Go
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.9.7+label%3ACherryPickApproved">Go
 1.9.7 milestone</a> on our issue tracker for details.
 </p>
 

doc/go1.10.html

@@ -12,7 +12,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.10</h2>

doc/go1.11.html

@@ -12,7 +12,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-  ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.11</h2>

doc/go1.12.html

@@ -12,7 +12,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-  ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.12</h2>

doc/go1.13.html

@@ -12,16 +12,16 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-  ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
-<h2 id="introduction">DRAFT RELEASE NOTES - Introduction to Go 1.13</h2>
+<h2 id="introduction">Introduction to Go 1.13</h2>
 
 <p>
-  <strong>
-    Go 1.13 is not yet released. These are work-in-progress
-    release notes. Go 1.13 is expected to be released in August 2019.
-  </strong>
+  The latest Go release, version 1.13, arrives six months after <a href="go1.12">Go 1.12</a>.
+  Most of its changes are in the implementation of the toolchain, runtime, and libraries.
+  As always, the release maintains the Go 1 <a href="/doc/go1compat.html">promise of compatibility</a>.
+  We expect almost all Go programs to continue to compile and run as before.
 </p>
 
 <p>
@@ -31,7 +31,8 @@ Do not send CLs removing the interior tags from such phrases.
   for privacy information about these services and the
   <a href="/cmd/go/#hdr-Module_downloading_and_verification">go command documentation</a>
   for configuration details including how to disable the use of these servers or use
-  different ones.
+  different ones. If you depend on non-public modules, see the
+  <a href="/cmd/go/#hdr-Module_configuration_for_non_public_modules">documentation for configuring your environment</a>.
 </p>
 
 <h2 id="language">Changes to the language</h2>
@@ -101,7 +102,7 @@ Do not send CLs removing the interior tags from such phrases.
 
 <h2 id="ports">Ports</h2>
 
-<p>
+<p id="nacl">
   Go 1.13 is the last release that will run on Native Client (NaCl).
 </p>
 
@@ -121,7 +122,7 @@ Do not send CLs removing the interior tags from such phrases.
 <h3 id="android">Android</h3>
 
 <p><!-- CL 170127 -->
-  Go programs are now compatible with Android Q.
+  Go programs are now compatible with Android 10.
 </p>
 
 <h3 id="darwin">Darwin</h3>
@@ -138,7 +139,8 @@ Do not send CLs removing the interior tags from such phrases.
   As <a href="go1.12#freebsd">announced</a> in the Go 1.12 release notes,
   Go 1.13 now requires FreeBSD 11.2 or later;
   support for previous versions has been discontinued.
-  FreeBSD 12.0 or later requires a kernel with the COMPAT_FREEBSD11 option set (this is the default).
+  FreeBSD 12.0 or later requires a kernel with the <code>COMPAT_FREEBSD11</code>
+  option set (this is the default).
 </p>
 
 <h3 id="illumos">Illumos</h3>
@@ -149,18 +151,6 @@ Do not send CLs removing the interior tags from such phrases.
   build tag.
 </p>
 
-<h3 id="netbsd">NetBSD</h3>
-
-<p><!--CL 155739 -->
-  Go now supports NetBSD on arm64.
-</p>
-
-<h3 id="openbsd">OpenBSD</h3>
-
-<p><!--CL 174125 -->
-  Go now supports OpenBSD on arm64.
-</p>
-
 <h3 id="windows">Windows</h3>
 
 <p><!-- CL 178977 -->
@@ -315,7 +305,7 @@ go env -w GOSUMDB=off
 
 <p>
   The <code>go</code> command now verifies the mapping
-  between <a href="/cmd/go#hdr-Pseudo_versions">pseudo-versions</a> and
+  between <a href="/cmd/go/#hdr-Pseudo_versions">pseudo-versions</a> and
   version-control metadata. Specifically:
   <ul>
     <li>The version prefix must be of the form <code>vX.0.0</code>, or derived
@@ -551,9 +541,9 @@ godoc
   To support wrapping, <a href="#fmt"><code>fmt.Errorf</code></a> now has a <code>%w</code>
   verb for creating wrapped errors, and three new functions in
   the <a href="#errors"><code>errors</code></a> package (
-  <a href="/pkg/errors#Unwrap"><code>errors.Unwrap</code></a>,
-  <a href="/pkg/errors#Is"><code>errors.Is</code></a> and
-  <a href="/pkg/errors#As"><code>errors.As</code></a>) simplify unwrapping
+  <a href="/pkg/errors/#Unwrap"><code>errors.Unwrap</code></a>,
+  <a href="/pkg/errors/#Is"><code>errors.Is</code></a> and
+  <a href="/pkg/errors/#As"><code>errors.As</code></a>) simplify unwrapping
   and inspecting wrapped errors.
 </p>
 <p>
@@ -592,10 +582,15 @@ godoc
   <dd>
     <p>
       Support for SSL version 3.0 (SSLv3) <a href="https://golang.org/issue/32716">
-      is now deprecated and will be removed in Go 1.14</a>. Note that SSLv3
-      <a href="https://tools.ietf.org/html/rfc7568">is cryptographically
-      broken</a>, is already disabled by default in <code>crypto/tls</code>,
-      and was never supported by Go clients.
+      is now deprecated and will be removed in Go 1.14</a>. Note that SSLv3 is the
+      <a href="https://tools.ietf.org/html/rfc7568">cryptographically broken</a>
+      protocol predating TLS.
+    </p>
+
+    <p>
+      SSLv3 was always disabled by default, other than in Go 1.12, when it was
+      mistakenly enabled by default server-side. It is now again disabled by
+      default. (SSLv3 was never supported client-side.)
     </p>
 
     <p><!-- CL 177698 -->
@@ -667,6 +662,24 @@ godoc
 
 <dl id="fmt"><dt><a href="/pkg/fmt/">fmt</a></dt>
   <dd>
+    <!-- CL 160245 -->
+    <p>
+      The printing verbs <code>%x</code> and <code>%X</code> now format floating-point and
+      complex numbers in hexadecimal notation, in lower-case and upper-case respectively.
+    </p>
+
+    <!-- CL 160246 -->
+    <p>
+      The new printing verb <code>%O</code> formats integers in base 8, emitting the <code>0o</code> prefix.
+    </p>
+
+    <!-- CL 160247 -->
+    <p>
+      The scanner now accepts hexadecimal floating-point values, digit-separating underscores
+      and leading <code>0b</code> and <code>0o</code> prefixes.
+      See the <a href="#language">Changes to the language</a> for details.
+    </p>
+
     <!-- CL 176998 -->
     <p>The <a href="/pkg/fmt/#Errorf"><code>Errorf</code></a> function
       has a new verb, <code>%w</code>, whose operand must be an error.
@@ -723,6 +736,18 @@ godoc
       The new <a href="/pkg/math/big/#Rat.SetUint64"><code>Rat.SetUint64</code></a> method sets the <code>Rat</code> to a <code>uint64</code> value.
     </p>
 
+    <p><!-- CL 166157 -->
+      For <a href="/pkg/math/big/#Float.Parse"><code>Float.Parse</code></a>, if base is 0, underscores
+      may be used between digits for readability.
+      See the <a href="#language">Changes to the language</a> for details.
+    </p>
+
+    <p><!-- CL 166157 -->
+      For <a href="/pkg/math/big/#Int.SetString"><code>Int.SetString</code></a>, if base is 0, underscores
+      may be used between digits for readability.
+      See the <a href="#language">Changes to the language</a> for details.
+    </p>
+
     <p><!-- CL 168237 -->
       <a href="/pkg/math/big/#Rat.SetString"><code>Rat.SetString</code></a> now accepts non-decimal floating point representations.
     </p>
@@ -745,7 +770,7 @@ godoc
 <dl id="net"><dt><a href="/pkg/net/">net</a></dt>
   <dd>
     <p><!-- CL 156366 -->
-      On Unix systems where <code>use-vc</code> is set in <code>resolve.conf</code>, TCP is used for DNS resolution.
+      On Unix systems where <code>use-vc</code> is set in <code>resolv.conf</code>, TCP is used for DNS resolution.
     </p>
 
     <p><!-- CL 170678 -->
@@ -760,7 +785,7 @@ godoc
       <code>Timeout</code> method that returns <code>true</code> if called.
       This can make a keep-alive error difficult to distinguish from
       an error returned due to a missed deadline as set by the
-      <a href="/pkg/net#Conn"><code>SetDeadline</code></a>
+      <a href="/pkg/net/#Conn"><code>SetDeadline</code></a>
       method and similar methods.
       Code that uses deadlines and checks for them with
       the <code>Timeout</code> method or
@@ -789,13 +814,14 @@ godoc
     </p>
 
     <p><!-- CL 140357 -->
-      When reusing HTTP/2, the <a href="/pkg/net/http#Transport"><code>Transport</code></a> no longer performs unnecessary TLS handshakes.
+      <a href="/pkg/net/http/#Transport.MaxConnsPerHost"><code>Transport.MaxConnsPerHost</code></a> now works
+      properly with HTTP/2.
     </p>
 
     <p><!-- CL 154383 -->
       <a href="/pkg/net/http/#TimeoutHandler"><code>TimeoutHandler</code></a>'s
       <a href="/pkg/net/http/#ResponseWriter"><code>ResponseWriter</code></a> now implements the
-      <a href="/pkg/net/http/#Pusher"><code>Pusher</code></a> and <a href="/pkg/net/http/#Flusher"><code>Flusher</code></a> interfaces.
+      <a href="/pkg/net/http/#Pusher"><code>Pusher</code></a> interface.
     </p>
 
     <p><!-- CL 157339 -->
@@ -813,14 +839,14 @@ godoc
     </p>
 
     <p><!-- CL 167681 -->
-      The new <a href="/pkg/net/http#Server"><code>Server</code></a> fields
+      The new <a href="/pkg/net/http/#Server"><code>Server</code></a> fields
       <a href="/pkg/net/http/#Server.BaseContext"><code>BaseContext</code></a> and
       <a href="/pkg/net/http/#Server.ConnContext"><code>ConnContext</code></a>
-      allow finer control over the <a href="/pkg/context#Context"><code>Context</code></a> values provided to requests and connections.
+      allow finer control over the <a href="/pkg/context/#Context"><code>Context</code></a> values provided to requests and connections.
     </p>
 
     <p><!-- CL 167781 -->
-      <a href="/pkg/net/http#DetectContentType"><code>http.DetectContentType</code></a> now correctly detects RAR signatures, and can now also detect RAR v5 signatures.
+      <a href="/pkg/net/http/#DetectContentType"><code>http.DetectContentType</code></a> now correctly detects RAR signatures, and can now also detect RAR v5 signatures.
     </p>
 
     <p><!-- CL 173658 -->
@@ -836,7 +862,8 @@ godoc
     </p>
 
     <p><!-- CL 179457 -->
-      <a href="/pkg/net/http/#Transport"><code>Transport</code></a> now silently ignores a <code>408 "Request Timeout"</code> response.
+      The <a href="/pkg/net/http/#Transport"><code>Transport</code></a> no longer logs errors when servers
+      gracefully shut down idle connections using a <code>"408 Request Timeout"</code> response.
     </p>
 
 </dl><!-- net/http -->
@@ -858,9 +885,9 @@ godoc
 <dl id="os/exec"><dt><a href="/pkg/os/exec/">os/exec</a></dt>
   <dd>
     <p><!-- CL 174318 -->
-      On Windows, the environment for a <a href="/pkg/os/exec#Cmd"><code>Cmd</code></a> always inherits the
+      On Windows, the environment for a <a href="/pkg/os/exec/#Cmd"><code>Cmd</code></a> always inherits the
       <code>%SYSTEMROOT%</code> value of the parent process unless the
-      <a href="/pkg/os/exec#Cmd.Env"><code>Cmd.Env</code></a> field includes an explicit value for it.
+      <a href="/pkg/os/exec/#Cmd.Env"><code>Cmd.Env</code></a> field includes an explicit value for it.
     </p>
 
 </dl><!-- os/exec -->
@@ -888,7 +915,19 @@ godoc
 
 </dl><!-- runtime -->
 
-<dl id="strings"><dt><a href="/pkg/strings">strings</a></dt>
+<dl id="strconv"><dt><a href="/pkg/strconv/">strconv</a></dt>
+  <dd>
+    <p><!-- CL 160243 -->
+       For <a href="/pkg/strconv/#ParseFloat"><code>strconv.ParseFloat</code></a>,
+       <a href="/pkg/strconv/#ParseInt"><code>strconv.ParseInt</code></a>
+       and <a href="/pkg/strconv/#ParseUint"><code>strconv.ParseUint</code></a>,
+       if base is 0, underscores may be used between digits for readability.
+       See the <a href="#language">Changes to the language</a> for details.
+    </p>
+
+</dl><!-- strconv -->
+
+<dl id="strings"><dt><a href="/pkg/strings/">strings</a></dt>
   <dd>
     <p><!-- CL 142003 -->
       The new <a href="/pkg/strings/#ToValidUTF8"><code>ToValidUTF8</code></a> function returns a
@@ -942,9 +981,10 @@ godoc
 <dl id="syscall/js"><dt><a href="/pkg/syscall/js/">syscall/js</a></dt>
   <dd>
     <p><!-- CL 177537 -->
-      TypedArrayOf has been replaced by
+      <code>TypedArrayOf</code> has been replaced by
       <a href="/pkg/syscall/js/#CopyBytesToGo"><code>CopyBytesToGo</code></a> and
-      <a href="/pkg/syscall/js/#CopyBytesToJS"><code>CopyBytesToJS</code></a> for copying bytes between a byte slice and a Uint8Array.
+      <a href="/pkg/syscall/js/#CopyBytesToJS"><code>CopyBytesToJS</code></a> for copying bytes
+      between a byte slice and a <code>Uint8Array</code>.
     </p>
 
 </dl><!-- syscall/js -->

doc/go1.6.html

@@ -10,7 +10,7 @@ Edit .,s;^([a-z][A-Za-z0-9_/]+)\.([A-Z][A-Za-z0-9_]+\.)?([A-Z][A-Za-z0-9_]+)([ .
 -->
 
 <style>
-ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.6</h2>

doc/go1.7.html

@@ -22,7 +22,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.7</h2>

doc/go1.8.html

@@ -12,7 +12,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.8</h2>

doc/go1.9.html

@@ -12,7 +12,7 @@ Do not send CLs removing the interior tags from such phrases.
 -->
 
 <style>
-ul li { margin: 0.5em 0; }
+  main ul li { margin: 0.5em 0; }
 </style>
 
 <h2 id="introduction">Introduction to Go 1.9</h2>

src/archive/zip/reader_test.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"encoding/hex"
+	"internal/obscuretestdata"
 	"io"
 	"io/ioutil"
 	"os"
@@ -19,11 +20,12 @@ import (
 )
 
 type ZipTest struct {
-	Name    string
-	Source  func() (r io.ReaderAt, size int64) // if non-nil, used instead of testdata/<Name> file
-	Comment string
-	File    []ZipTestFile
-	Error   error // the error that Opening this file should return
+	Name     string
+	Source   func() (r io.ReaderAt, size int64) // if non-nil, used instead of testdata/<Name> file
+	Comment  string
+	File     []ZipTestFile
+	Obscured bool  // needed for Apple notarization (golang.org/issue/34986)
+	Error    error // the error that Opening this file should return
 }
 
 type ZipTestFile struct {
@@ -189,8 +191,12 @@ var tests = []ZipTest{
 	},
 	{
 		// created by Go, before we wrote the "optional" data
-		// descriptor signatures (which are required by OS X)
-		Name: "go-no-datadesc-sig.zip",
+		// descriptor signatures (which are required by macOS).
+		// Use obscured file to avoid Apple’s notarization service
+		// rejecting the toolchain due to an inability to unzip this archive.
+		// See golang.org/issue/34986
+		Name:     "go-no-datadesc-sig.zip.base64",
+		Obscured: true,
 		File: []ZipTestFile{
 			{
 				Name:     "foo.txt",
@@ -208,7 +214,7 @@ var tests = []ZipTest{
 	},
 	{
 		// created by Go, after we wrote the "optional" data
-		// descriptor signatures (which are required by OS X)
+		// descriptor signatures (which are required by macOS)
 		Name: "go-with-datadesc-sig.zip",
 		File: []ZipTestFile{
 			{
@@ -496,8 +502,18 @@ func readTestZip(t *testing.T, zt ZipTest) {
 		rat, size := zt.Source()
 		z, err = NewReader(rat, size)
 	} else {
+		path := filepath.Join("testdata", zt.Name)
+		if zt.Obscured {
+			tf, err := obscuretestdata.DecodeToTempFile(path)
+			if err != nil {
+				t.Errorf("obscuretestdata.DecodeToTempFile(%s): %v", path, err)
+				return
+			}
+			defer os.Remove(tf)
+			path = tf
+		}
 		var rc *ReadCloser
-		rc, err = OpenReader(filepath.Join("testdata", zt.Name))
+		rc, err = OpenReader(path)
 		if err == nil {
 			defer rc.Close()
 			z = &rc.Reader

src/archive/zip/testdata/go-no-datadesc-sig.zip.base64

@@ -0,0 +1 @@
+UEsDBBQACAAAAGWHaECoZTJ+BAAAAAQAAAAHABgAZm9vLnR4dFVUBQAD3lVZT3V4CwABBPUBAAAEFAAAAGZvbwqoZTJ+BAAAAAQAAABQSwMEFAAIAAAAZodoQOmzogQEAAAABAAAAAcAGABiYXIudHh0VVQFAAPgVVlPdXgLAAEE9QEAAAQUAAAAYmFyCumzogQEAAAABAAAAFBLAQIUAxQACAAAAGWHaECoZTJ+BAAAAAQAAAAHABgAAAAAAAAAAACkgQAAAABmb28udHh0VVQFAAPeVVlPdXgLAAEE9QEAAAQUAAAAUEsBAhQDFAAIAAAAZodoQOmzogQEAAAABAAAAAcAGAAAAAAAAAAAAKSBTQAAAGJhci50eHRVVAUAA+BVWU91eAsAAQT1AQAABBQAAABQSwUGAAAAAAIAAgCaAAAAmgAAAAAA

src/cmd/compile/internal/gc/noder.go

@@ -1330,7 +1330,7 @@ func checkLangCompat(lit *syntax.BasicLit) {
 	}
 	// len(s) > 2
 	if strings.Contains(s, "_") {
-		yyerror("underscores in numeric literals only supported as of -lang=go1.13")
+		yyerrorv("go1.13", "underscores in numeric literals")
 		return
 	}
 	if s[0] != '0' {
@@ -1338,15 +1338,15 @@ func checkLangCompat(lit *syntax.BasicLit) {
 	}
 	base := s[1]
 	if base == 'b' || base == 'B' {
-		yyerror("binary literals only supported as of -lang=go1.13")
+		yyerrorv("go1.13", "binary literals")
 		return
 	}
 	if base == 'o' || base == 'O' {
-		yyerror("0o/0O-style octal literals only supported as of -lang=go1.13")
+		yyerrorv("go1.13", "0o/0O-style octal literals")
 		return
 	}
 	if lit.Kind != syntax.IntLit && (base == 'x' || base == 'X') {
-		yyerror("hexadecimal floating-point literals only supported as of -lang=go1.13")
+		yyerrorv("go1.13", "hexadecimal floating-point literals")
 	}
 }
 

src/cmd/compile/internal/gc/subr.go

@@ -154,6 +154,11 @@ func yyerrorl(pos src.XPos, format string, args ...interface{}) {
 	}
 }
 
+func yyerrorv(lang string, format string, args ...interface{}) {
+	what := fmt.Sprintf(format, args...)
+	yyerrorl(lineno, "%s requires %s or later (-lang was set to %s; check go.mod)", what, lang, flag_lang)
+}
+
 func yyerror(format string, args ...interface{}) {
 	yyerrorl(lineno, format, args...)
 }

src/cmd/compile/internal/gc/typecheck.go

@@ -632,7 +632,7 @@ func typecheck1(n *Node, top int) (res *Node) {
 				return n
 			}
 			if t.IsSigned() && !langSupported(1, 13) {
-				yyerror("invalid operation: %v (signed shift count type %v, only supported as of -lang=go1.13)", n, r.Type)
+				yyerrorv("go1.13", "invalid operation: %v (signed shift count type %v)", n, r.Type)
 				n.Type = nil
 				return n
 			}

src/cmd/compile/internal/ssa/poset.go

@@ -116,10 +116,10 @@ type posetNode struct {
 // the nodes are different, either because SetNonEqual was called before, or because
 // we know that they are strictly ordered.
 //
-// It is implemented as a forest of DAGs; in each DAG, if node A dominates B,
-// it means that A<B. Equality is represented by mapping two SSA values to the same
-// DAG node; when a new equality relation is recorded between two existing nodes,
-// the nodes are merged, adjusting incoming and outgoing edges.
+// It is implemented as a forest of DAGs; in each DAG, if there is a path (directed)
+// from node A to B, it means that A<B (or A<=B). Equality is represented by mapping
+// two SSA values to the same DAG node; when a new equality relation is recorded
+// between two existing nodes,the nodes are merged, adjusting incoming and outgoing edges.
 //
 // Constants are specially treated. When a constant is added to the poset, it is
 // immediately linked to other constants already present; so for instance if the
@@ -519,11 +519,11 @@ func (po *poset) dfs(r uint32, strict bool, f func(i uint32) bool) bool {
 	return false
 }
 
-// Returns true if i1 dominates i2.
+// Returns true if there is a path from i1 to i2.
 // If strict ==  true: if the function returns true, then i1 <  i2.
 // If strict == false: if the function returns true, then i1 <= i2.
 // If the function returns false, no relation is known.
-func (po *poset) dominates(i1, i2 uint32, strict bool) bool {
+func (po *poset) reaches(i1, i2 uint32, strict bool) bool {
 	return po.dfs(i1, strict, func(n uint32) bool {
 		return n == i2
 	})
@@ -537,7 +537,7 @@ func (po *poset) findroot(i uint32) uint32 {
 	// storing a bitset for each root using it as a mini bloom filter
 	// of nodes present under that root.
 	for _, r := range po.roots {
-		if po.dominates(r, i, false) {
+		if po.reaches(r, i, false) {
 			return r
 		}
 	}
@@ -560,7 +560,7 @@ func (po *poset) mergeroot(r1, r2 uint32) uint32 {
 // found, the function does not modify the DAG and returns false.
 func (po *poset) collapsepath(n1, n2 *Value) bool {
 	i1, i2 := po.values[n1.ID], po.values[n2.ID]
-	if po.dominates(i1, i2, true) {
+	if po.reaches(i1, i2, true) {
 		return false
 	}
 
@@ -796,7 +796,7 @@ func (po *poset) Ordered(n1, n2 *Value) bool {
 		return false
 	}
 
-	return i1 != i2 && po.dominates(i1, i2, true)
+	return i1 != i2 && po.reaches(i1, i2, true)
 }
 
 // Ordered reports whether n1<=n2. It returns false either when it is
@@ -814,8 +814,7 @@ func (po *poset) OrderedOrEqual(n1, n2 *Value) bool {
 		return false
 	}
 
-	return i1 == i2 || po.dominates(i1, i2, false) ||
-		(po.dominates(i2, i1, false) && !po.dominates(i2, i1, true))
+	return i1 == i2 || po.reaches(i1, i2, false)
 }
 
 // Equal reports whether n1==n2. It returns false either when it is
@@ -923,8 +922,8 @@ func (po *poset) setOrder(n1, n2 *Value, strict bool) bool {
 		// Both n1 and n2 are in the poset. This is the complex part of the algorithm
 		// as we need to find many different cases and DAG shapes.
 
-		// Check if n1 somehow dominates n2
-		if po.dominates(i1, i2, false) {
+		// Check if n1 somehow reaches n2
+		if po.reaches(i1, i2, false) {
 			// This is the table of all cases we need to handle:
 			//
 			//      DAG          New      Action
@@ -935,7 +934,7 @@ func (po *poset) setOrder(n1, n2 *Value, strict bool) bool {
 			// #4:  N1<X<N2   |  N1<N2  | do nothing
 
 			// Check if we're in case #2
-			if strict && !po.dominates(i1, i2, true) {
+			if strict && !po.reaches(i1, i2, true) {
 				po.addchild(i1, i2, true)
 				return true
 			}
@@ -944,8 +943,8 @@ func (po *poset) setOrder(n1, n2 *Value, strict bool) bool {
 			return true
 		}
 
-		// Check if n2 somehow dominates n1
-		if po.dominates(i2, i1, false) {
+		// Check if n2 somehow reaches n1
+		if po.reaches(i2, i1, false) {
 			// This is the table of all cases we need to handle:
 			//
 			//      DAG           New      Action
@@ -1033,10 +1032,10 @@ func (po *poset) SetEqual(n1, n2 *Value) bool {
 
 		// If we already knew that n1<=n2, we can collapse the path to
 		// record n1==n2 (and viceversa).
-		if po.dominates(i1, i2, false) {
+		if po.reaches(i1, i2, false) {
 			return po.collapsepath(n1, n2)
 		}
-		if po.dominates(i2, i1, false) {
+		if po.reaches(i2, i1, false) {
 			return po.collapsepath(n2, n1)
 		}
 
@@ -1084,10 +1083,10 @@ func (po *poset) SetNonEqual(n1, n2 *Value) bool {
 	i1, f1 := po.lookup(n1)
 	i2, f2 := po.lookup(n2)
 	if f1 && f2 {
-		if po.dominates(i1, i2, false) && !po.dominates(i1, i2, true) {
+		if po.reaches(i1, i2, false) && !po.reaches(i1, i2, true) {
 			po.addchild(i1, i2, true)
 		}
-		if po.dominates(i2, i1, false) && !po.dominates(i2, i1, true) {
+		if po.reaches(i2, i1, false) && !po.reaches(i2, i1, true) {
 			po.addchild(i2, i1, true)
 		}
 	}

src/cmd/compile/internal/ssa/poset_test.go

@@ -186,7 +186,7 @@ func TestPoset(t *testing.T) {
 		{OrderedOrEqual, 4, 12},
 		{OrderedOrEqual_Fail, 12, 4},
 		{OrderedOrEqual, 4, 7},
-		{OrderedOrEqual, 7, 4},
+		{OrderedOrEqual_Fail, 7, 4},
 
 		// Dag #1: 1<4<=7<12
 		{Checkpoint, 0, 0},
@@ -450,7 +450,7 @@ func TestSetEqual(t *testing.T) {
 		{SetOrderOrEqual, 20, 100},
 		{SetOrder, 100, 110},
 		{OrderedOrEqual, 10, 30},
-		{OrderedOrEqual, 30, 10},
+		{OrderedOrEqual_Fail, 30, 10},
 		{Ordered_Fail, 10, 30},
 		{Ordered_Fail, 30, 10},
 		{Ordered, 10, 40},

src/cmd/cover/func.go

@@ -191,6 +191,10 @@ func findPkgs(profiles []*Profile) (map[string]*Pkg, error) {
 		}
 	}
 
+	if len(list) == 0 {
+		return pkgs, nil
+	}
+
 	// Note: usually run as "go tool cover" in which case $GOROOT is set,
 	// in which case runtime.GOROOT() does exactly what we want.
 	goTool := filepath.Join(runtime.GOROOT(), "bin/go")

src/cmd/go.mod

@@ -5,7 +5,7 @@ go 1.12
 require (
 	github.com/google/pprof v0.0.0-20190515194954-54271f7e092f
 	github.com/ianlancetaylor/demangle v0.0.0-20180524225900-fc6590592b44 // indirect
-	golang.org/x/arch v0.0.0-20181203225421-5a4828bb7045
+	golang.org/x/arch v0.0.0-20190815191158-8a70ba74b3a1
 	golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c
 	golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82 // indirect
 	golang.org/x/tools v0.0.0-20190611154301-25a4f137592f

src/cmd/go.sum

@@ -2,8 +2,8 @@ github.com/google/pprof v0.0.0-20190515194954-54271f7e092f h1:Jnx61latede7zDD3Di
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/ianlancetaylor/demangle v0.0.0-20180524225900-fc6590592b44 h1:pKqc8lAAA6rcwpvsephnRuZp4VHbfszZRClvqAE6Sq8=
 github.com/ianlancetaylor/demangle v0.0.0-20180524225900-fc6590592b44/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-golang.org/x/arch v0.0.0-20181203225421-5a4828bb7045 h1:Pn8fQdvx+z1avAi7fdM2kRYWQNxGlavNDSyzrQg2SsU=
-golang.org/x/arch v0.0.0-20181203225421-5a4828bb7045/go.mod h1:cYlCBUl1MsqxdiKgmc4uh7TxZfWSFLOGSRR090WDxt8=
+golang.org/x/arch v0.0.0-20190815191158-8a70ba74b3a1 h1:A71BZbKSu+DtCNry/x5JKn20C+64DirDHmePEA8k0FY=
+golang.org/x/arch v0.0.0-20190815191158-8a70ba74b3a1/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c h1:Vj5n4GlwjmQteupaxJ9+0FNOmBrHfq7vN4btdGoDZgI=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -17,3 +17,4 @@ golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190611154301-25a4f137592f h1:6awn5JC4pwVI5HiBqs7MDtRxnwV9PpO5iSA9v6P09pA=
 golang.org/x/tools v0.0.0-20190611154301-25a4f137592f/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=

src/cmd/go/alldocs.go

@@ -1018,7 +1018,6 @@
 //         Dir      string // absolute path to cached source root directory
 //         Sum      string // checksum for path, version (as in go.sum)
 //         GoModSum string // checksum for go.mod (as in go.sum)
-//         Latest   bool   // would @latest resolve to this version?
 //     }
 //
 // See 'go help modules' for more about module queries.

src/cmd/go/internal/get/vcs.go

@@ -164,8 +164,14 @@ var vcsGit = &vcsCmd{
 	// See golang.org/issue/9032.
 	tagSyncDefault: []string{"submodule update --init --recursive"},
 
-	scheme:     []string{"git", "https", "http", "git+ssh", "ssh"},
-	pingCmd:    "ls-remote -- {scheme}://{repo}",
+	scheme: []string{"git", "https", "http", "git+ssh", "ssh"},
+
+	// Leave out the '--' separator in the ls-remote command: git 2.7.4 does not
+	// support such a separator for that command, and this use should be safe
+	// without it because the {scheme} value comes from the predefined list above.
+	// See golang.org/issue/33836.
+	pingCmd: "ls-remote {scheme}://{repo}",
+
 	remoteRepo: gitRemoteRepo,
 }
 
@@ -898,7 +904,7 @@ func metaImportsForPrefix(importPrefix string, mod ModuleMode, security web.Secu
 		}
 		resp, err := web.Get(security, url)
 		if err != nil {
-			return setCache(fetchResult{url: url, err: fmt.Errorf("fetch %s: %v", resp.URL, err)})
+			return setCache(fetchResult{url: url, err: fmt.Errorf("fetching %s: %v", importPrefix, err)})
 		}
 		body := resp.Body
 		defer body.Close()
@@ -907,7 +913,7 @@ func metaImportsForPrefix(importPrefix string, mod ModuleMode, security web.Secu
 			return setCache(fetchResult{url: url, err: fmt.Errorf("parsing %s: %v", resp.URL, err)})
 		}
 		if len(imports) == 0 {
-			err = fmt.Errorf("fetch %s: no go-import meta tag", url)
+			err = fmt.Errorf("fetching %s: no go-import meta tag found in %s", importPrefix, resp.URL)
 		}
 		return setCache(fetchResult{url: url, imports: imports, err: err})
 	})

src/cmd/go/internal/load/pkg.go

@@ -1950,9 +1950,14 @@ func Packages(args []string) []*Package {
 // cannot be loaded at all.
 // The packages that fail to load will have p.Error != nil.
 func PackagesAndErrors(patterns []string) []*Package {
-	if len(patterns) > 0 {
-		for _, p := range patterns {
-			if strings.HasSuffix(p, ".go") {
+	for _, p := range patterns {
+		// Listing is only supported with all patterns referring to either:
+		// - Files that are part of the same directory.
+		// - Explicit package paths or patterns.
+		if strings.HasSuffix(p, ".go") {
+			// We need to test whether the path is an actual Go file and not a
+			// package path or pattern ending in '.go' (see golang.org/issue/34653).
+			if fi, err := os.Stat(p); err == nil && !fi.IsDir() {
 				return []*Package{GoFilesPackage(patterns)}
 			}
 		}

src/cmd/go/internal/load/test.go

@@ -399,10 +399,13 @@ func recompileForTest(pmain, preal, ptest, pxtest *Package) {
 			}
 		}
 
-		// Don't compile build info from a main package. This can happen
-		// if -coverpkg patterns include main packages, since those packages
-		// are imported by pmain. See golang.org/issue/30907.
-		if p.Internal.BuildInfo != "" && p != pmain {
+		// Force main packages the test imports to be built as libraries.
+		// Normal imports of main packages are forbidden by the package loader,
+		// but this can still happen if -coverpkg patterns include main packages:
+		// covered packages are imported by pmain. Linking multiple packages
+		// compiled with '-p main' causes duplicate symbol errors.
+		// See golang.org/issue/30907, golang.org/issue/34114.
+		if p.Name == "main" && p != pmain && p != ptest {
 			split()
 		}
 	}

src/cmd/go/internal/modcmd/download.go

@@ -43,7 +43,6 @@ corresponding to this Go struct:
         Dir      string // absolute path to cached source root directory
         Sum      string // checksum for path, version (as in go.sum)
         GoModSum string // checksum for go.mod (as in go.sum)
-        Latest   bool   // would @latest resolve to this version?
     }
 
 See 'go help modules' for more about module queries.
@@ -66,7 +65,6 @@ type moduleJSON struct {
 	Dir      string `json:",omitempty"`
 	Sum      string `json:",omitempty"`
 	GoModSum string `json:",omitempty"`
-	Latest   bool   `json:",omitempty"`
 }
 
 func runDownload(cmd *base.Command, args []string) {
@@ -105,31 +103,6 @@ func runDownload(cmd *base.Command, args []string) {
 		work.Add(m)
 	}
 
-	latest := map[string]string{} // path → version
-	if *downloadJSON {
-		// We need to populate the Latest field, but if the main module depends on a
-		// version newer than latest — or if the version requested on the command
-		// line is itself newer than latest — that's not trivial to determine from
-		// the info returned by ListModules. Instead, we issue a separate
-		// ListModules request for "latest", which should be inexpensive relative to
-		// downloading the modules.
-		var latestArgs []string
-		for _, m := range mods {
-			if m.Error != "" {
-				continue
-			}
-			latestArgs = append(latestArgs, m.Path+"@latest")
-		}
-
-		if len(latestArgs) > 0 {
-			for _, info := range modload.ListModules(latestArgs, listU, listVersions) {
-				if info.Version != "" {
-					latest[info.Path] = info.Version
-				}
-			}
-		}
-	}
-
 	work.Do(10, func(item interface{}) {
 		m := item.(*moduleJSON)
 		var err error
@@ -160,9 +133,6 @@ func runDownload(cmd *base.Command, args []string) {
 			m.Error = err.Error()
 			return
 		}
-		if latest[m.Path] == m.Version {
-			m.Latest = true
-		}
 	})
 
 	if *downloadJSON {

src/cmd/go/internal/modfetch/codehost/git.go

@@ -241,13 +241,6 @@ func (r *gitRepo) findRef(hash string) (ref string, ok bool) {
 	return "", false
 }
 
-func unshallow(gitDir string) []string {
-	if _, err := os.Stat(filepath.Join(gitDir, "shallow")); err == nil {
-		return []string{"--unshallow"}
-	}
-	return []string{}
-}
-
 // minHashDigits is the minimum number of digits to require
 // before accepting a hex digit sequence as potentially identifying
 // a specific commit in a git repo. (Of course, users can always
@@ -397,29 +390,27 @@ func (r *gitRepo) stat(rev string) (*RevInfo, error) {
 // fetchRefsLocked requires that r.mu remain locked for the duration of the call.
 func (r *gitRepo) fetchRefsLocked() error {
 	if r.fetchLevel < fetchAll {
-		if err := r.fetchUnshallow("refs/heads/*:refs/heads/*", "refs/tags/*:refs/tags/*"); err != nil {
+		// NOTE: To work around a bug affecting Git clients up to at least 2.23.0
+		// (2019-08-16), we must first expand the set of local refs, and only then
+		// unshallow the repository as a separate fetch operation. (See
+		// golang.org/issue/34266 and
+		// https://github.com/git/git/blob/4c86140027f4a0d2caaa3ab4bd8bfc5ce3c11c8a/transport.c#L1303-L1309.)
+
+		if _, err := Run(r.dir, "git", "fetch", "-f", r.remote, "refs/heads/*:refs/heads/*", "refs/tags/*:refs/tags/*"); err != nil {
 			return err
 		}
+
+		if _, err := os.Stat(filepath.Join(r.dir, "shallow")); err == nil {
+			if _, err := Run(r.dir, "git", "fetch", "--unshallow", "-f", r.remote); err != nil {
+				return err
+			}
+		}
+
 		r.fetchLevel = fetchAll
 	}
 	return nil
 }
 
-func (r *gitRepo) fetchUnshallow(refSpecs ...string) error {
-	// To work around a protocol version 2 bug that breaks --unshallow,
-	// add -c protocol.version=0.
-	// TODO(rsc): The bug is believed to be server-side, meaning only
-	// on Google's Git servers. Once the servers are fixed, drop the
-	// protocol.version=0. See Google-internal bug b/110495752.
-	var protoFlag []string
-	unshallowFlag := unshallow(r.dir)
-	if len(unshallowFlag) > 0 {
-		protoFlag = []string{"-c", "protocol.version=0"}
-	}
-	_, err := Run(r.dir, "git", protoFlag, "fetch", unshallowFlag, "-f", r.remote, refSpecs)
-	return err
-}
-
 // statLocal returns a RevInfo describing rev in the local git repository.
 // It uses version as info.Version.
 func (r *gitRepo) statLocal(version, rev string) (*RevInfo, error) {
@@ -539,39 +530,10 @@ func (r *gitRepo) ReadFileRevs(revs []string, file string, maxSize int64) (map[s
 	}
 	defer unlock()
 
-	var refs []string
-	var protoFlag []string
-	var unshallowFlag []string
-	for _, tag := range redo {
-		refs = append(refs, "refs/tags/"+tag+":refs/tags/"+tag)
-	}
-	if len(refs) > 1 {
-		unshallowFlag = unshallow(r.dir)
-		if len(unshallowFlag) > 0 {
-			// To work around a protocol version 2 bug that breaks --unshallow,
-			// add -c protocol.version=0.
-			// TODO(rsc): The bug is believed to be server-side, meaning only
-			// on Google's Git servers. Once the servers are fixed, drop the
-			// protocol.version=0. See Google-internal bug b/110495752.
-			protoFlag = []string{"-c", "protocol.version=0"}
-		}
-	}
-	if _, err := Run(r.dir, "git", protoFlag, "fetch", unshallowFlag, "-f", r.remote, refs); err != nil {
+	if err := r.fetchRefsLocked(); err != nil {
 		return nil, err
 	}
 
-	// TODO(bcmills): after the 1.11 freeze, replace the block above with:
-	//	if r.fetchLevel <= fetchSome {
-	//		r.fetchLevel = fetchSome
-	//		var refs []string
-	//		for _, tag := range redo {
-	//			refs = append(refs, "refs/tags/"+tag+":refs/tags/"+tag)
-	//		}
-	//		if _, err := Run(r.dir, "git", "fetch", "--update-shallow", "-f", r.remote, refs); err != nil {
-	//			return nil, err
-	//		}
-	//	}
-
 	if _, err := r.readFileRevs(redo, file, files); err != nil {
 		return nil, err
 	}

src/cmd/go/internal/modfetch/coderepo_test.go

@@ -334,16 +334,6 @@ var codeRepoTests = []codeRepoTest{
 		time:    time.Date(2016, 12, 8, 18, 13, 25, 0, time.UTC),
 		gomod:   "module gopkg.in/check.v1\n",
 	},
-	{
-		vcs:     "git",
-		path:    "gopkg.in/yaml.v2",
-		rev:     "v2",
-		version: "v2.2.3-0.20190319135612-7b8349ac747c",
-		name:    "7b8349ac747c6a24702b762d2c4fd9266cf4f1d6",
-		short:   "7b8349ac747c",
-		time:    time.Date(2019, 03, 19, 13, 56, 12, 0, time.UTC),
-		gomod:   "module \"gopkg.in/yaml.v2\"\n\nrequire (\n\t\"gopkg.in/check.v1\" v0.0.0-20161208181325-20d25e280405\n)\n",
-	},
 	{
 		vcs:     "git",
 		path:    "vcs-test.golang.org/go/mod/gitrepo1",

src/cmd/go/internal/modget/get.go

@@ -452,10 +452,13 @@ func runGet(cmd *base.Command, args []string) {
 	// This includes explicitly requested modules that don't have a root package
 	// and modules with a target version of "none".
 	var wg sync.WaitGroup
+	var modOnlyMu sync.Mutex
 	modOnly := make(map[string]*query)
 	for _, q := range queries {
 		if q.m.Version == "none" {
+			modOnlyMu.Lock()
 			modOnly[q.m.Path] = q
+			modOnlyMu.Unlock()
 			continue
 		}
 		if q.path == q.m.Path {
@@ -464,7 +467,9 @@ func runGet(cmd *base.Command, args []string) {
 				if hasPkg, err := modload.ModuleHasRootPackage(q.m); err != nil {
 					base.Errorf("go get: %v", err)
 				} else if !hasPkg {
+					modOnlyMu.Lock()
 					modOnly[q.m.Path] = q
+					modOnlyMu.Unlock()
 				}
 				wg.Done()
 			}(q)

src/cmd/go/internal/modload/import_test.go

@@ -21,7 +21,7 @@ var importTests = []struct {
 	},
 	{
 		path: "golang.org/x/net",
-		err:  "module golang.org/x/net@.* found, but does not contain package golang.org/x/net",
+		err:  `module golang.org/x/net@.* found \(v0.0.0-.*\), but does not contain package golang.org/x/net`,
 	},
 	{
 		path: "golang.org/x/text",

src/cmd/go/internal/modload/load.go

@@ -1140,7 +1140,7 @@ func (r *mvsReqs) required(mod module.Version) ([]module.Version, error) {
 	if mpath := f.Module.Mod.Path; mpath != origPath && mpath != mod.Path {
 		return nil, module.VersionError(mod, fmt.Errorf(`parsing go.mod:
 	module declares its path as: %s
-	        but was required as: %s`, mod.Path, mpath))
+	        but was required as: %s`, mpath, mod.Path))
 	}
 	if f.Go != nil {
 		r.versions.LoadOrStore(mod, f.Go.Version)
@@ -1205,6 +1205,11 @@ func (*mvsReqs) next(m module.Version) (module.Version, error) {
 	return module.Version{Path: m.Path, Version: "none"}, nil
 }
 
+// fetch downloads the given module (or its replacement)
+// and returns its location.
+//
+// The isLocal return value reports whether the replacement,
+// if any, is local to the filesystem.
 func fetch(mod module.Version) (dir string, isLocal bool, err error) {
 	if mod == Target {
 		return ModRoot(), true, nil

src/cmd/go/internal/modload/query.go

@@ -381,9 +381,10 @@ func QueryPattern(pattern, query string, allowed func(module.Version) bool) ([]Q
 			r.Packages = match(r.Mod, root, isLocal)
 			if len(r.Packages) == 0 {
 				return r, &PackageNotInModuleError{
-					Mod:     r.Mod,
-					Query:   query,
-					Pattern: pattern,
+					Mod:         r.Mod,
+					Replacement: Replacement(r.Mod),
+					Query:       query,
+					Pattern:     pattern,
 				}
 			}
 			return r, nil
@@ -471,7 +472,17 @@ func queryPrefixModules(candidateModules []string, queryModule func(path string)
 					notExistErr = rErr
 				}
 			} else if err == nil {
-				err = r.err
+				if len(found) > 0 || noPackage != nil {
+					// golang.org/issue/34094: If we have already found a module that
+					// could potentially contain the target package, ignore unclassified
+					// errors for modules with shorter paths.
+
+					// golang.org/issue/34383 is a special case of this: if we have
+					// already found example.com/foo/v2@v2.0.0 with a matching go.mod
+					// file, ignore the error from example.com/foo@v2.0.0.
+				} else {
+					err = r.err
+				}
 			}
 		}
 	}
@@ -526,21 +537,32 @@ func (e *NoMatchingVersionError) Error() string {
 // code for the versions it knows about, and thus did not have the opportunity
 // to return a non-400 status code to suppress fallback.
 type PackageNotInModuleError struct {
-	Mod     module.Version
-	Query   string
-	Pattern string
+	Mod         module.Version
+	Replacement module.Version
+	Query       string
+	Pattern     string
 }
 
 func (e *PackageNotInModuleError) Error() string {
 	found := ""
-	if e.Query != e.Mod.Version {
+	if r := e.Replacement; r.Path != "" {
+		replacement := r.Path
+		if r.Version != "" {
+			replacement = fmt.Sprintf("%s@%s", r.Path, r.Version)
+		}
+		if e.Query == e.Mod.Version {
+			found = fmt.Sprintf(" (replaced by %s)", replacement)
+		} else {
+			found = fmt.Sprintf(" (%s, replaced by %s)", e.Mod.Version, replacement)
+		}
+	} else if e.Query != e.Mod.Version {
 		found = fmt.Sprintf(" (%s)", e.Mod.Version)
 	}
 
 	if strings.Contains(e.Pattern, "...") {
-		return fmt.Sprintf("module %s@%s%s found, but does not contain packages matching %s", e.Mod.Path, e.Query, found, e.Pattern)
+		return fmt.Sprintf("module %s@%s found%s, but does not contain packages matching %s", e.Mod.Path, e.Query, found, e.Pattern)
 	}
-	return fmt.Sprintf("module %s@%s%s found, but does not contain package %s", e.Mod.Path, e.Query, found, e.Pattern)
+	return fmt.Sprintf("module %s@%s found%s, but does not contain package %s", e.Mod.Path, e.Query, found, e.Pattern)
 }
 
 // ModuleHasRootPackage returns whether module m contains a package m.Path.

src/cmd/go/internal/search/search.go

@@ -363,30 +363,40 @@ func ImportPathsQuiet(patterns []string) []*Match {
 
 // CleanPatterns returns the patterns to use for the given
 // command line. It canonicalizes the patterns but does not
-// evaluate any matches.
+// evaluate any matches. It preserves text after '@' for commands
+// that accept versions.
 func CleanPatterns(patterns []string) []string {
 	if len(patterns) == 0 {
 		return []string{"."}
 	}
 	var out []string
 	for _, a := range patterns {
+		var p, v string
+		if i := strings.IndexByte(a, '@'); i < 0 {
+			p = a
+		} else {
+			p = a[:i]
+			v = a[i:]
+		}
+
 		// Arguments are supposed to be import paths, but
 		// as a courtesy to Windows developers, rewrite \ to /
 		// in command-line arguments. Handles .\... and so on.
 		if filepath.Separator == '\\' {
-			a = strings.ReplaceAll(a, `\`, `/`)
+			p = strings.ReplaceAll(p, `\`, `/`)
 		}
 
 		// Put argument in canonical form, but preserve leading ./.
-		if strings.HasPrefix(a, "./") {
-			a = "./" + path.Clean(a)
-			if a == "./." {
-				a = "."
+		if strings.HasPrefix(p, "./") {
+			p = "./" + path.Clean(p)
+			if p == "./." {
+				p = "."
 			}
 		} else {
-			a = path.Clean(a)
+			p = path.Clean(p)
 		}
-		out = append(out, a)
+
+		out = append(out, p+v)
 	}
 	return out
 }

src/cmd/go/internal/test/test.go

@@ -572,8 +572,9 @@ func runTest(cmd *base.Command, args []string) {
 	}
 
 	// Pass timeout to tests if it exists.
+	// Prepend rather than appending so that it appears before positional arguments.
 	if testActualTimeout > 0 {
-		testArgs = append(testArgs, "-test.timeout="+testActualTimeout.String())
+		testArgs = append([]string{"-test.timeout=" + testActualTimeout.String()}, testArgs...)
 	}
 
 	// show passing test output (after buffering) with -v flag.

src/cmd/go/internal/work/exec.go

@@ -200,12 +200,12 @@ func (b *Builder) buildActionID(a *Action) cache.ActionID {
 	// same compiler settings and can reuse each other's results.
 	// If not, the reason is already recorded in buildGcflags.
 	fmt.Fprintf(h, "compile\n")
+	// Only include the package directory if it may affect the output.
+	// We trim workspace paths for all packages when -trimpath is set.
 	// The compiler hides the exact value of $GOROOT
-	// when building things in GOROOT,
-	// but it does not hide the exact value of $GOPATH.
-	// Include the full dir in that case.
+	// when building things in GOROOT.
 	// Assume b.WorkDir is being trimmed properly.
-	if !p.Goroot && !strings.HasPrefix(p.Dir, b.WorkDir) {
+	if !p.Goroot && !cfg.BuildTrimpath && !strings.HasPrefix(p.Dir, b.WorkDir) {
 		fmt.Fprintf(h, "dir %s\n", p.Dir)
 	}
 	fmt.Fprintf(h, "goos %s goarch %s\n", cfg.Goos, cfg.Goarch)
@@ -1030,7 +1030,7 @@ func (b *Builder) vet(a *Action) error {
 	// dependency tree turn on *more* analysis, as here.
 	// (The unsafeptr check does not write any facts for use by
 	// later vet runs.)
-	if a.Package.Goroot && !VetExplicit {
+	if a.Package.Goroot && !VetExplicit && VetTool == "" {
 		// Note that $GOROOT/src/buildall.bash
 		// does the same for the misc-compile trybots
 		// and should be updated if these flags are

src/cmd/go/script_test.go

@@ -441,10 +441,15 @@ func (ts *testScript) cmdCmp(neg bool, args []string) {
 		// It would be strange to say "this file can have any content except this precise byte sequence".
 		ts.fatalf("unsupported: ! cmp")
 	}
+	quiet := false
+	if len(args) > 0 && args[0] == "-q" {
+		quiet = true
+		args = args[1:]
+	}
 	if len(args) != 2 {
 		ts.fatalf("usage: cmp file1 file2")
 	}
-	ts.doCmdCmp(args, false)
+	ts.doCmdCmp(args, false, quiet)
 }
 
 // cmpenv compares two files with environment variable substitution.
@@ -452,13 +457,18 @@ func (ts *testScript) cmdCmpenv(neg bool, args []string) {
 	if neg {
 		ts.fatalf("unsupported: ! cmpenv")
 	}
+	quiet := false
+	if len(args) > 0 && args[0] == "-q" {
+		quiet = true
+		args = args[1:]
+	}
 	if len(args) != 2 {
 		ts.fatalf("usage: cmpenv file1 file2")
 	}
-	ts.doCmdCmp(args, true)
+	ts.doCmdCmp(args, true, quiet)
 }
 
-func (ts *testScript) doCmdCmp(args []string, env bool) {
+func (ts *testScript) doCmdCmp(args []string, env, quiet bool) {
 	name1, name2 := args[0], args[1]
 	var text1, text2 string
 	if name1 == "stdout" {
@@ -484,7 +494,9 @@ func (ts *testScript) doCmdCmp(args []string, env bool) {
 		return
 	}
 
-	fmt.Fprintf(&ts.log, "[diff -%s +%s]\n%s\n", name1, name2, diff(text1, text2))
+	if !quiet {
+		fmt.Fprintf(&ts.log, "[diff -%s +%s]\n%s\n", name1, name2, diff(text1, text2))
+	}
 	ts.fatalf("%s and %s differ", name1, name2)
 }
 

src/cmd/go/testdata/mod/example.com_badchain_c_v1.1.0.txt

@@ -1,7 +1,7 @@
 example.com/badchain/c v1.1.0
 
 -- .mod --
-module example.com/badchain/wrong
+module badchain.example.com/c
 -- .info --
 {"Version":"v1.1.0"}
 -- c.go --

src/cmd/go/testdata/mod/example.com_dotgo.go_v1.0.0.txt

@@ -0,0 +1,16 @@
+This module's path ends with ".go".
+Based on github.com/nats-io/nats.go.
+Used in regression tests for golang.org/issue/32483.
+
+-- .mod --
+module example.com/dotgo.go
+
+go 1.13
+-- .info --
+{"Version":"v1.0.0"}
+-- go.mod --
+module example.com/dotgo.go
+
+go 1.13
+-- dotgo.go --
+package dotgo

src/cmd/go/testdata/script/build_trimpath.txt

@@ -1,21 +1,44 @@
 [short] skip
 
 env -r GOROOT_REGEXP=$GOROOT
-env -r WORK_REGEXP=$WORK
+env -r WORK_REGEXP='$WORK'  # don't expand $WORK; grep replaces $WORK in text before matching.
 env GOROOT GOROOT_REGEXP WORK WORK_REGEXP
 
+# A binary built without -trimpath should contain the current workspace
+# and GOROOT for debugging and stack traces.
+cd a
+go build -o hello.exe hello.go
+grep -q $WORK_REGEXP hello.exe
+grep -q $GOROOT_REGEXP hello.exe
+
+# A binary built with -trimpath should not contain the current workspace
+# or GOROOT.
 go build -trimpath -o hello.exe hello.go
 ! grep -q $GOROOT_REGEXP hello.exe
 ! grep -q $WORK_REGEXP hello.exe
+cd ..
 
+# A binary from an external module built with -trimpath should not contain
+# the current workspace or GOROOT.
 env GO111MODULE=on
 go build -trimpath -o fortune.exe rsc.io/fortune
 ! grep -q $GOROOT_REGEXP fortune.exe
 ! grep -q $WORK_REGEXP fortune.exe
 
--- hello.go --
+# Two binaries built from identical packages in different directories
+# should be identical.
+mkdir b
+cp a/go.mod a/hello.go b
+cd a
+go build -trimpath -o ../a.exe .
+cd ../b
+go build -trimpath -o ../b.exe .
+cd ..
+cmp -q a.exe b.exe
+
+-- a/hello.go --
 package main
 func main() { println("hello") }
 
--- go.mod --
+-- a/go.mod --
 module m

src/cmd/go/testdata/script/cover_mod_empty.txt

@@ -0,0 +1,9 @@
+go tool cover -func=cover.out
+stdout total.*statements.*0.0%
+
+go mod init golang.org/issue/33855
+
+go tool cover -func=cover.out
+stdout total.*statements.*0.0%
+
+-- cover.out --

src/cmd/go/testdata/script/cover_pkgall_multiple_mains.txt

@@ -1,29 +1,32 @@
 # This test checks that multiple main packages can be tested
 # with -coverpkg=all without duplicate symbol errors.
-# Verifies golang.org/issue/30374.
-
-env GO111MODULE=on
+# Verifies golang.org/issue/30374, golang.org/issue/34114.
 
 [short] skip
+cd $GOPATH/src/example.com/cov
 
+env GO111MODULE=on
 go test -coverpkg=all ./...
 
--- go.mod --
+env GO111MODULE=off
+go test -coverpkg=all ./...
+
+-- $GOPATH/src/example.com/cov/go.mod --
 module example.com/cov
 
--- mainonly/mainonly.go --
+-- $GOPATH/src/example.com/cov/mainonly/mainonly.go --
 package main
 
 func main() {}
 
--- mainwithtest/mainwithtest.go --
+-- $GOPATH/src/example.com/cov/mainwithtest/mainwithtest.go --
 package main
 
 func main() {}
 
 func Foo() {}
 
--- mainwithtest/mainwithtest_test.go --
+-- $GOPATH/src/example.com/cov/mainwithtest/mainwithtest_test.go --
 package main
 
 import "testing"
@@ -32,10 +35,10 @@ func TestFoo(t *testing.T) {
   Foo()
 }
 
--- xtest/x.go --
+-- $GOPATH/src/example.com/cov/xtest/x.go --
 package x
 
--- xtest/x_test.go --
+-- $GOPATH/src/example.com/cov/xtest/x_test.go --
 package x_test
 
 import "testing"

src/cmd/go/testdata/script/get_insecure_redirect.txt

@@ -1,11 +1,10 @@
 # golang.org/issue/29591: 'go get' was following plain-HTTP redirects even without -insecure.
+# golang.org/issue/34049: 'go get' would panic in case of an insecure redirect in GOPATH mode
 
 [!net] skip
 [!exec:git] skip
 
-env GO111MODULE=on
-env GOPROXY=direct
-env GOSUMDB=off
+env GO111MODULE=off
 
 ! go get -d vcs-test.golang.org/insecure/go/insecure
 stderr 'redirected .* to insecure URL'

src/cmd/go/testdata/script/list_ambiguous_path.txt

@@ -0,0 +1,37 @@
+# Ensures that we can correctly list package patterns ending in '.go'.
+# See golang.org/issue/34653.
+
+# A single pattern for a package ending in '.go'.
+go list ./foo.go
+stdout '^test/foo.go$'
+
+# Multiple patterns for packages including one ending in '.go'.
+go list ./bar ./foo.go
+stdout '^test/bar$'
+stdout '^test/foo.go$'
+
+# A single pattern for a Go file.
+go list ./a.go
+stdout '^command-line-arguments$'
+
+# A single typo-ed pattern for a Go file. This should
+# treat the wrong pattern as if it were a package.
+! go list ./foo.go/b.go
+stderr 'package ./foo.go/b.go: cannot find package "."'
+
+# Multiple patterns for Go files with a typo. This should
+# treat the wrong pattern as if it were a non-existint file.
+! go list ./foo.go/a.go ./foo.go/b.go
+[windows] stderr './foo.go/b.go: The system cannot find the file specified'
+[!windows] stderr './foo.go/b.go: no such file or directory'
+
+-- a.go --
+package main
+-- bar/a.go --
+package bar
+-- foo.go/a.go --
+package foo.go
+-- go.mod --
+module "test"
+
+go 1.13

src/cmd/go/testdata/script/list_split_main.txt

@@ -0,0 +1,25 @@
+# This test checks that a "main" package with an external test package
+# is recompiled only once.
+# Verifies golang.org/issue/34321.
+
+env GO111MODULE=off
+
+go list -e -test -deps -f '{{if not .Standard}}{{.ImportPath}}{{end}}' pkg
+cmp stdout want
+
+-- $GOPATH/src/pkg/pkg.go --
+package main
+
+func main() {}
+
+-- $GOPATH/src/pkg/pkg_test.go --
+package main
+
+import "testing"
+
+func Test(t *testing.T) {}
+
+-- want --
+pkg
+pkg [pkg.test]
+pkg.test

src/cmd/go/testdata/script/mod_download.txt

@@ -17,7 +17,6 @@ stderr 'this.domain.is.invalid'
 stdout '"Error": ".*this.domain.is.invalid.*"'
 
 # download -json with version should print JSON
-# and download the .info file for the 'latest' version.
 go mod download -json 'rsc.io/quote@<=v1.5.0'
 stdout '^\t"Path": "rsc.io/quote"'
 stdout '^\t"Version": "v1.5.0"'
@@ -28,14 +27,13 @@ stdout '^\t"Sum": "h1:6fJa6E\+wGadANKkUMlZ0DhXFpoKlslOQDCo259XtdIE="'  # hash of
 stdout '^\t"GoModSum": "h1:LzX7hefJvL54yjefDEDHNONDjII0t9xZLPXsUe\+TKr0="'
 ! stdout '"Error"'
 
-exists $GOPATH/pkg/mod/cache/download/rsc.io/quote/@v/v1.5.2.info
-
 # download queries above should not have added to go.mod.
 go list -m all
 ! stdout rsc.io
 
 # add to go.mod so we can test non-query downloads
 go mod edit -require rsc.io/quote@v1.5.2
+! exists $GOPATH/pkg/mod/cache/download/rsc.io/quote/@v/v1.5.2.info
 ! exists $GOPATH/pkg/mod/cache/download/rsc.io/quote/@v/v1.5.2.mod
 ! exists $GOPATH/pkg/mod/cache/download/rsc.io/quote/@v/v1.5.2.zip
 

src/cmd/go/testdata/script/mod_download_latest.txt

@@ -1,20 +0,0 @@
-env GO111MODULE=on
-
-# If the module is the latest version of itself,
-# the Latest field should be set.
-go mod download -json rsc.io/quote@v1.5.2
-stdout '"Latest":\s*true'
-
-# If the module is older than latest, the field should be unset.
-go mod download -json rsc.io/quote@v1.5.1
-! stdout '"Latest":'
-
-# If the module is newer than "latest", the field should be unset...
-go mod download -json rsc.io/quote@v1.5.3-pre1
-! stdout '"Latest":'
-
-# ...even if that version is also what is required by the main module.
-go mod init example.com
-go mod edit -require rsc.io/quote@v1.5.3-pre1
-go mod download -json rsc.io/quote@v1.5.3-pre1
-! stdout '"Latest":'

src/cmd/go/testdata/script/mod_get_direct.txt

@@ -0,0 +1,20 @@
+# Regression test for golang.org/issue/34092: with an empty module cache,
+# 'GOPROXY=direct go get golang.org/x/tools/gopls@master' did not correctly
+# resolve the pseudo-version for its dependency on golang.org/x/tools.
+
+[short] skip
+[!net] skip
+[!exec:git] skip
+
+env GO111MODULE=on
+env GOPROXY=direct
+env GOSUMDB=off
+
+go list -m cloud.google.com/go@master
+! stdout 'v0.0.0-'
+
+-- go.mod --
+module example.com
+
+go 1.14
+-- go.sum --

src/cmd/go/testdata/script/mod_get_insecure_redirect.txt

@@ -0,0 +1,13 @@
+# golang.org/issue/29591: 'go get' was following plain-HTTP redirects even without -insecure.
+
+[!net] skip
+[!exec:git] skip
+
+env GO111MODULE=on
+env GOPROXY=direct
+env GOSUMDB=off
+
+! go get -d vcs-test.golang.org/insecure/go/insecure
+stderr 'redirected .* to insecure URL'
+
+go get -d -insecure vcs-test.golang.org/insecure/go/insecure

src/cmd/go/testdata/script/mod_get_major.txt

@@ -0,0 +1,23 @@
+[!net] skip
+[!exec:git] skip
+
+env GO111MODULE=on
+env GOPROXY=direct
+env GOSUMDB=off
+
+# golang.org/issue/34383: if a module path ends in a major-version suffix,
+# ensure that 'direct' mode can resolve the package to a module.
+
+go get -d vcs-test.golang.org/git/v3pkg.git/v3@v3.0.0
+
+go list -m vcs-test.golang.org/git/v3pkg.git/v3
+stdout '^vcs-test.golang.org/git/v3pkg.git/v3 v3.0.0$'
+
+go get -d vcs-test.golang.org/git/empty-v2-without-v1.git/v2@v2.0.0
+
+go list -m vcs-test.golang.org/git/empty-v2-without-v1.git/v2
+stdout '^vcs-test.golang.org/git/empty-v2-without-v1.git/v2 v2.0.0$'
+
+-- go.mod --
+module example.com
+go 1.13

src/cmd/go/testdata/script/mod_get_patterns.txt

@@ -10,11 +10,11 @@ grep 'require rsc.io/quote' go.mod
 
 cp go.mod.orig go.mod
 ! go get -d rsc.io/quote/x...
-stderr 'go get rsc.io/quote/x...: module rsc.io/quote@upgrade \(v1.5.2\) found, but does not contain packages matching rsc.io/quote/x...'
+stderr 'go get rsc.io/quote/x...: module rsc.io/quote@upgrade found \(v1.5.2\), but does not contain packages matching rsc.io/quote/x...'
 ! grep 'require rsc.io/quote' go.mod
 
 ! go get -d rsc.io/quote/x/...
-stderr 'go get rsc.io/quote/x/...: module rsc.io/quote@upgrade \(v1.5.2\) found, but does not contain packages matching rsc.io/quote/x/...'
+stderr 'go get rsc.io/quote/x/...: module rsc.io/quote@upgrade found \(v1.5.2\), but does not contain packages matching rsc.io/quote/x/...'
 ! grep 'require rsc.io/quote' go.mod
 
 # If a pattern matches no packages within a module, the module should not

src/cmd/go/testdata/script/mod_get_trailing_slash.txt

@@ -0,0 +1,30 @@
+# go list should succeed to load a package ending with ".go" if the path does
+# not correspond to an existing local file. Listing a pattern ending with
+# ".go/" should try to list a package regardless of whether a file exists at the
+# path without the suffixed "/" or not.
+go list example.com/dotgo.go
+stdout ^example.com/dotgo.go$
+go list example.com/dotgo.go/
+stdout ^example.com/dotgo.go$
+
+# go get -d should succeed in either case, with or without a version.
+# Arguments are interpreted as packages or package patterns with versions,
+# not source files.
+go get -d example.com/dotgo.go
+go get -d example.com/dotgo.go/
+go get -d example.com/dotgo.go@v1.0.0
+go get -d example.com/dotgo.go/@v1.0.0
+
+# go get (without -d) should also succeed in either case.
+[short] skip
+go get example.com/dotgo.go
+go get example.com/dotgo.go/
+go get example.com/dotgo.go@v1.0.0
+go get example.com/dotgo.go/@v1.0.0
+
+-- go.mod --
+module m
+
+go 1.13
+
+require example.com/dotgo.go v1.0.0

src/cmd/go/testdata/script/mod_issue35317.txt

@@ -0,0 +1,8 @@
+# Regression test for golang.org/issue/35317:
+# 'go get' with multiple module-only arguments was racy.
+
+env GO111MODULE=on
+[short] skip
+
+go mod init example.com
+go get golang.org/x/text@v0.3.0 golang.org/x/internal@v0.1.0 golang.org/x/exp@none

src/cmd/go/testdata/script/mod_list_upgrade.txt

@@ -1,28 +1,8 @@
 env GO111MODULE=on
 
-# If the current version is not latest, 'go list -u' should include its upgrade.
 go list -m -u all
 stdout 'rsc.io/quote v1.2.0 \[v1\.5\.2\]'
 
-# If the current version is latest, 'go list -u' should omit the upgrade.
-go get -d rsc.io/quote@v1.5.2
-go list -m -u all
-stdout 'rsc.io/quote v1.5.2$'
-
-# If the current version is newer than latest, 'go list -u' should
-# omit the upgrade.
-go get -d rsc.io/quote@v1.5.3-pre1
-go list -m -u all
-stdout 'rsc.io/quote v1.5.3-pre1$'
-
-# If the current build list has a higher version and the user asks about
-# a lower one, -u should report the upgrade for the lower one
-# but leave the build list unchanged.
-go list -m -u rsc.io/quote@v1.5.1
-stdout 'rsc.io/quote v1.5.1 \[v1.5.2\]$'
-go list -m -u rsc.io/quote
-stdout 'rsc.io/quote v1.5.3-pre1$'
-
 -- go.mod --
 module x
 require rsc.io/quote v1.2.0

src/cmd/go/testdata/script/mod_load_badchain.txt

@@ -58,28 +58,28 @@ func Test(t *testing.T) {}
 -- update-main-expected --
 go get: example.com/badchain/c@v1.0.0 updating to
 	example.com/badchain/c@v1.1.0: parsing go.mod:
-	module declares its path as: example.com/badchain/c
-	        but was required as: example.com/badchain/wrong
+	module declares its path as: badchain.example.com/c
+	        but was required as: example.com/badchain/c
 -- update-a-expected --
 go get: example.com/badchain/a@v1.1.0 requires
 	example.com/badchain/b@v1.1.0 requires
 	example.com/badchain/c@v1.1.0: parsing go.mod:
-	module declares its path as: example.com/badchain/c
-	        but was required as: example.com/badchain/wrong
+	module declares its path as: badchain.example.com/c
+	        but was required as: example.com/badchain/c
 -- list-expected --
 go: example.com/badchain/a@v1.1.0 requires
 	example.com/badchain/b@v1.1.0 requires
 	example.com/badchain/c@v1.1.0: parsing go.mod:
-	module declares its path as: example.com/badchain/c
-	        but was required as: example.com/badchain/wrong
+	module declares its path as: badchain.example.com/c
+	        but was required as: example.com/badchain/c
 -- list-missing-expected --
 go: m/use imports
 	example.com/badchain/c: example.com/badchain/c@v1.1.0: parsing go.mod:
-	module declares its path as: example.com/badchain/c
-	        but was required as: example.com/badchain/wrong
+	module declares its path as: badchain.example.com/c
+	        but was required as: example.com/badchain/c
 -- list-missing-test-expected --
 go: m/testuse tested by
 	m/testuse.test imports
 	example.com/badchain/c: example.com/badchain/c@v1.1.0: parsing go.mod:
-	module declares its path as: example.com/badchain/c
-	        but was required as: example.com/badchain/wrong
+	module declares its path as: badchain.example.com/c
+	        but was required as: example.com/badchain/c

src/cmd/go/testdata/script/mod_replace.txt

@@ -38,6 +38,13 @@ grep 'not-rsc.io/quote/v3 v3.1.0' go.mod
 exec ./a5.exe
 stdout 'Concurrency is not parallelism.'
 
+# Error messages for modules not found in replacements should
+# indicate the replacement module.
+cp go.mod.orig go.mod
+go mod edit -replace=rsc.io/quote/v3=./local/rsc.io/quote/v3
+! go get -d rsc.io/quote/v3/missing-package
+stderr 'module rsc.io/quote/v3@upgrade found \(v3.0.0, replaced by ./local/rsc.io/quote/v3\), but does not contain package'
+
 -- go.mod --
 module quoter
 

src/cmd/go/testdata/script/test_timeout.txt

@@ -2,12 +2,13 @@
 env GO111MODULE=off
 cd a
 
-# No timeout is passed via 'go test' command.
-go test -v
+# If no timeout is set explicitly, 'go test' should set
+# -test.timeout to its internal deadline.
+go test -v . --
 stdout '10m0s'
 
-# Timeout is passed via 'go test' command.
-go test -v -timeout 30m
+# An explicit -timeout argument should be propagated to -test.timeout.
+go test -v -timeout 30m . --
 stdout '30m0s'
 
 -- a/timeout_test.go --
@@ -19,4 +20,4 @@ import (
 )
 func TestTimeout(t *testing.T) {
 	fmt.Println(flag.Lookup("test.timeout").Value.String())
-}
+}

src/cmd/internal/buildid/buildid_test.go

@@ -7,6 +7,7 @@ package buildid
 import (
 	"bytes"
 	"crypto/sha256"
+	"internal/obscuretestdata"
 	"io/ioutil"
 	"os"
 	"reflect"
@@ -19,13 +20,6 @@ const (
 )
 
 func TestReadFile(t *testing.T) {
-	var files = []string{
-		"p.a",
-		"a.elf",
-		"a.macho",
-		"a.pe",
-	}
-
 	f, err := ioutil.TempFile("", "buildid-test-")
 	if err != nil {
 		t.Fatal(err)
@@ -34,26 +28,43 @@ func TestReadFile(t *testing.T) {
 	defer os.Remove(tmp)
 	f.Close()
 
-	for _, f := range files {
-		id, err := ReadFile("testdata/" + f)
+	// Use obscured files to prevent Apple’s notarization service from
+	// mistaking them as candidates for notarization and rejecting the entire
+	// toolchain.
+	// See golang.org/issue/34986
+	var files = []string{
+		"p.a.base64",
+		"a.elf.base64",
+		"a.macho.base64",
+		"a.pe.base64",
+	}
+
+	for _, name := range files {
+		f, err := obscuretestdata.DecodeToTempFile("testdata/" + name)
+		if err != nil {
+			t.Errorf("obscuretestdata.DecodeToTempFile(testdata/%s): %v", name, err)
+			continue
+		}
+		defer os.Remove(f)
+		id, err := ReadFile(f)
 		if id != expectedID || err != nil {
 			t.Errorf("ReadFile(testdata/%s) = %q, %v, want %q, nil", f, id, err, expectedID)
 		}
 		old := readSize
 		readSize = 2048
-		id, err = ReadFile("testdata/" + f)
+		id, err = ReadFile(f)
 		readSize = old
 		if id != expectedID || err != nil {
-			t.Errorf("ReadFile(testdata/%s) [readSize=2k] = %q, %v, want %q, nil", f, id, err, expectedID)
+			t.Errorf("ReadFile(%s) [readSize=2k] = %q, %v, want %q, nil", f, id, err, expectedID)
 		}
 
-		data, err := ioutil.ReadFile("testdata/" + f)
+		data, err := ioutil.ReadFile(f)
 		if err != nil {
 			t.Fatal(err)
 		}
 		m, _, err := FindAndHash(bytes.NewReader(data), expectedID, 1024)
 		if err != nil {
-			t.Errorf("FindAndHash(testdata/%s): %v", f, err)
+			t.Errorf("FindAndHash(%s): %v", f, err)
 			continue
 		}
 		if err := ioutil.WriteFile(tmp, data, 0666); err != nil {
@@ -68,7 +79,7 @@ func TestReadFile(t *testing.T) {
 		err = Rewrite(tf, m, newID)
 		err2 := tf.Close()
 		if err != nil {
-			t.Errorf("Rewrite(testdata/%s): %v", f, err)
+			t.Errorf("Rewrite(%s): %v", f, err)
 			continue
 		}
 		if err2 != nil {
@@ -77,7 +88,7 @@ func TestReadFile(t *testing.T) {
 
 		id, err = ReadFile(tmp)
 		if id != newID || err != nil {
-			t.Errorf("ReadFile(testdata/%s after Rewrite) = %q, %v, want %q, nil", f, id, err, newID)
+			t.Errorf("ReadFile(%s after Rewrite) = %q, %v, want %q, nil", f, id, err, newID)
 		}
 	}
 }

src/cmd/internal/buildid/testdata/a.pe.base64

@@ -0,0 +1 @@
+TVqQAAMABAAAAAAA//8AAIsAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYEAAAAAAAADAAAAAAAAPAAIwILAgMAAAIAAAACAAAAAAAAcBAAAAAQAAAAAEAAAAAAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABQAAAABgAAAAAAAAMAAAAAACAAAAAAAADgHwAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAMAAAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMYBAAAAEAAAAAIAAAAGAAAAAAAAAAAAAAAAAABgAABgLmRhdGEAAADgAQAAACAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5pZGF0YQAAFAAAAAAwAAAAAgAAAAoAAAAAAAAAAAAAAAAAAEAAAMAuc3ltdGFiAAQAAAAAQAAAAAIAAAAMAAAAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/yBHbyBidWlsZCBJRDogImFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6LjEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQiCiD/zMPMzMzMzMzMzMzMzMzMzMwBAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAEEAAAAAAAAAAAAAAAAAA+////wAAAQgCAAAAAAAAAAAQQAAAAAAAQAAAAAAAAABwEEAAAAAAAHgAAAAAAAAAcRBAAAAAAADIAAAAAAAAAAAQQAAAAAAAaAAAAAAAAABnRSMBAAAAAAAAAAAAAAAAAAAAAAAAAABnby5idWlsZGlkAAAAAAAAcBBAAAAAAACwAAAAAAAAAGdFIwG7AAAAvgAAAMEAAAAAAAAAAgAAAIAQQAAAAAAAgBBAAAAAAABtYWluLm1haW4AAAIBAAQBAAYBAAAAAAACAAAA0AAAAC9Vc2Vycy9yc2MvZ28vc3JjL2NtZC9pbnRlcm5hbC9idWlsZGlkL3Rlc3RkYXRhL3AuZ28AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgIEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAQQAAAAAAABgEAAAAAAAAGAQAAAAAAANAQQAAAAAAAAwAAAAAAAAADAAAAAAAAAIgRQAAAAAAAAgAAAAAAAAACAAAAAAAAAIwQQAAAAAAAABBAAAAAAABxEEAAAAAAAAAQQAAAAAAAgBBAAAAAAAAAIEAAAAAAAOAhQAAAAAAA4CFAAAAAAADgIUAAAAAAAOAhQAAAAAAA4CFAAAAAAADgIUAAAAAAAOAhQAAAAAAA4CFAAAAAAACJEEAAAAAAAIgQQAAAAAAAgBBAAAAAAAC4EEAAAAAAAKAQQAAAAAAAAQAAAAAAAAABAAAAAAAAALgQQAAAAAAAAAAAAAAAAAAAAAAAAAAAALgQQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

src/cmd/internal/buildid/testdata/p.a.base64

@@ -0,0 +1 @@
+ITxhcmNoPgpfXy5QS0dERUYgICAgICAgMCAgICAgICAgICAgMCAgICAgMCAgICAgNjQ0ICAgICAzMzAgICAgICAgYApnbyBvYmplY3QgZGFyd2luIGFtZDY0IGRldmVsICszYjMzYWY1ZDY4IFRodSBPY3QgNSAxNjo1OTowMCAyMDE3IC0wNDAwIFg6ZnJhbWVwb2ludGVyCmJ1aWxkIGlkICJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ei4xMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0IgotLS0tCgpidWlsZCBpZCAiYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXouMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNCIKCiQkQgp2ZXJzaW9uIDUKCgACAQFwAAsACwABAAokJApfZ29fLm8gICAgICAgICAgMCAgICAgICAgICAgMCAgICAgMCAgICAgNjQ0ICAgICAyMjMgICAgICAgYApnbyBvYmplY3QgZGFyd2luIGFtZDY0IGRldmVsICszYjMzYWY1ZDY4IFRodSBPY3QgNSAxNjo1OTowMCAyMDE3IC0wNDAwIFg6ZnJhbWVwb2ludGVyCmJ1aWxkIGlkICJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ei4xMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0IgotLS0tCgoKIQoAAGdvMTlsZAEA/wAAAAAAAP//Z28xOWxkAA==

src/cmd/internal/obj/x86/asm6.go

@@ -3514,7 +3514,7 @@ func (ab *AsmBuf) asmandsz(ctxt *obj.Link, cursym *obj.LSym, p *obj.Prog, a *obj
 	}
 
 	if REG_AX <= base && base <= REG_R15 {
-		if a.Index == REG_TLS && !ctxt.Flag_shared {
+		if a.Index == REG_TLS && !ctxt.Flag_shared && !isAndroid {
 			rel = obj.Reloc{}
 			rel.Type = objabi.R_TLS_LE
 			rel.Siz = 4

src/cmd/link/link_test.go

@@ -1,6 +1,8 @@
 package main
 
 import (
+	"bufio"
+	"bytes"
 	"debug/macho"
 	"internal/testenv"
 	"io/ioutil"
@@ -315,3 +317,62 @@ func TestMacOSVersion(t *testing.T) {
 		t.Errorf("no LC_VERSION_MIN_MACOSX load command found")
 	}
 }
+
+const Issue34788src = `
+
+package blah
+
+func Blah(i int) int {
+	a := [...]int{1, 2, 3, 4, 5, 6, 7, 8}
+	return a[i&7]
+}
+`
+
+func TestIssue34788Android386TLSSequence(t *testing.T) {
+	testenv.MustHaveGoBuild(t)
+
+	// This is a cross-compilation test, so it doesn't make
+	// sense to run it on every GOOS/GOARCH combination. Limit
+	// the test to amd64 + darwin/linux.
+	if runtime.GOARCH != "amd64" ||
+		(runtime.GOOS != "darwin" && runtime.GOOS != "linux") {
+		t.Skip("skipping on non-{linux,darwin}/amd64 platform")
+	}
+
+	tmpdir, err := ioutil.TempDir("", "TestIssue34788Android386TLSSequence")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpdir)
+
+	src := filepath.Join(tmpdir, "blah.go")
+	err = ioutil.WriteFile(src, []byte(Issue34788src), 0666)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	obj := filepath.Join(tmpdir, "blah.o")
+	cmd := exec.Command(testenv.GoToolPath(t), "tool", "compile", "-o", obj, src)
+	cmd.Env = append(os.Environ(), "GOARCH=386", "GOOS=android")
+	if out, err := cmd.CombinedOutput(); err != nil {
+		if err != nil {
+			t.Fatalf("failed to compile blah.go: %v, output: %s\n", err, out)
+		}
+	}
+
+	// Run objdump on the resulting object.
+	cmd = exec.Command(testenv.GoToolPath(t), "tool", "objdump", obj)
+	out, oerr := cmd.CombinedOutput()
+	if oerr != nil {
+		t.Fatalf("failed to objdump blah.o: %v, output: %s\n", oerr, out)
+	}
+
+	// Sift through the output; we should not be seeing any R_TLS_LE relocs.
+	scanner := bufio.NewScanner(bytes.NewReader(out))
+	for scanner.Scan() {
+		line := scanner.Text()
+		if strings.Contains(line, "R_TLS_LE") {
+			t.Errorf("objdump output contains unexpected R_TLS_LE reloc: %s", line)
+		}
+	}
+}

src/cmd/nm/nm_test.go

@@ -6,6 +6,7 @@ package main
 
 import (
 	"fmt"
+	"internal/obscuretestdata"
 	"internal/testenv"
 	"io/ioutil"
 	"os"
@@ -57,8 +58,8 @@ func TestNonGoExecs(t *testing.T) {
 	testfiles := []string{
 		"debug/elf/testdata/gcc-386-freebsd-exec",
 		"debug/elf/testdata/gcc-amd64-linux-exec",
-		"debug/macho/testdata/gcc-386-darwin-exec",
-		"debug/macho/testdata/gcc-amd64-darwin-exec",
+		"debug/macho/testdata/gcc-386-darwin-exec.base64",   // golang.org/issue/34986
+		"debug/macho/testdata/gcc-amd64-darwin-exec.base64", // golang.org/issue/34986
 		// "debug/pe/testdata/gcc-amd64-mingw-exec", // no symbols!
 		"debug/pe/testdata/gcc-386-mingw-exec",
 		"debug/plan9obj/testdata/amd64-plan9-exec",
@@ -67,6 +68,16 @@ func TestNonGoExecs(t *testing.T) {
 	}
 	for _, f := range testfiles {
 		exepath := filepath.Join(runtime.GOROOT(), "src", f)
+		if strings.HasSuffix(f, ".base64") {
+			tf, err := obscuretestdata.DecodeToTempFile(exepath)
+			if err != nil {
+				t.Errorf("obscuretestdata.DecodeToTempFile(%s): %v", exepath, err)
+				continue
+			}
+			defer os.Remove(tf)
+			exepath = tf
+		}
+
 		cmd := exec.Command(testnmpath, exepath)
 		out, err := cmd.CombinedOutput()
 		if err != nil {

src/cmd/vendor/golang.org/x/arch/x86/x86asm/decode.go

@@ -203,7 +203,9 @@ func instPrefix(b byte, mode int) (Inst, error) {
 // For now we use instPrefix but perhaps later we will return
 // a specific error here.
 func truncated(src []byte, mode int) (Inst, error) {
-	//	return Inst{}, len(src), ErrTruncated
+	if len(src) == 0 {
+		return Inst{}, ErrTruncated
+	}
 	return instPrefix(src[0], mode) // too long
 }
 
@@ -216,7 +218,6 @@ var (
 
 // decoderCover records coverage information for which parts
 // of the byte code have been executed.
-// TODO(rsc): This is for testing. Only use this if a flag is given.
 var decoderCover []bool
 
 // Decode decodes the leading bytes in src as a single instruction.
@@ -406,7 +407,7 @@ ReadPrefixes:
 
 		//Group 5 - Vex encoding
 		case 0xC5:
-			if pos == 0 && (mode == 64 || (mode == 32 && pos+1 < len(src) && src[pos+1]&0xc0 == 0xc0)) {
+			if pos == 0 && pos+1 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
 				vex = p
 				vexIndex = pos
 				inst.Prefix[pos] = p
@@ -418,7 +419,7 @@ ReadPrefixes:
 				break ReadPrefixes
 			}
 		case 0xC4:
-			if pos == 0 && (mode == 64 || (mode == 32 && pos+2 < len(src) && src[pos+1]&0xc0 == 0xc0)) {
+			if pos == 0 && pos+2 < len(src) && (mode == 64 || (mode == 32 && src[pos+1]&0xc0 == 0xc0)) {
 				vex = p
 				vexIndex = pos
 				inst.Prefix[pos] = p
@@ -460,9 +461,6 @@ ReadPrefixes:
 	// opshift gives the shift to use when saving the next
 	// opcode byte into inst.Opcode.
 	opshift = 24
-	if decoderCover == nil {
-		decoderCover = make([]bool, len(decoder))
-	}
 
 	// Decode loop, executing decoder program.
 	var oldPC, prevPC int
@@ -474,7 +472,9 @@ Decode:
 			println("run", pc)
 		}
 		x := decoder[pc]
-		decoderCover[pc] = true
+		if decoderCover != nil {
+			decoderCover[pc] = true
+		}
 		pc++
 
 		// Read and decode ModR/M if needed by opcode.

src/cmd/vendor/modules.txt

@@ -16,7 +16,7 @@ github.com/google/pprof/third_party/d3flamegraph
 github.com/google/pprof/third_party/svgpan
 # github.com/ianlancetaylor/demangle v0.0.0-20180524225900-fc6590592b44
 github.com/ianlancetaylor/demangle
-# golang.org/x/arch v0.0.0-20181203225421-5a4828bb7045
+# golang.org/x/arch v0.0.0-20190815191158-8a70ba74b3a1
 golang.org/x/arch/arm/armasm
 golang.org/x/arch/arm64/arm64asm
 golang.org/x/arch/ppc64/ppc64asm

src/compress/gzip/gunzip_test.go

@@ -7,6 +7,7 @@ package gzip
 import (
 	"bytes"
 	"compress/flate"
+	"encoding/base64"
 	"io"
 	"io/ioutil"
 	"os"
@@ -413,11 +414,16 @@ func TestDecompressor(t *testing.T) {
 }
 
 func TestIssue6550(t *testing.T) {
-	f, err := os.Open("testdata/issue6550.gz")
+	// Apple’s notarization service will recursively attempt to decompress
+	// files in order to find binaries to notarize. Since the service is
+	// unable to decompress this file, it may reject the entire toolchain. Use a
+	// base64-encoded version to avoid this.
+	// See golang.org/issue/34986
+	f, err := os.Open("testdata/issue6550.gz.base64")
 	if err != nil {
 		t.Fatal(err)
 	}
-	gzip, err := NewReader(f)
+	gzip, err := NewReader(base64.NewDecoder(base64.StdEncoding, f))
 	if err != nil {
 		t.Fatalf("NewReader(testdata/issue6550.gz): %v", err)
 	}

src/crypto/dsa/dsa.go

@@ -279,6 +279,9 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	}
 
 	w := new(big.Int).ModInverse(s, pub.Q)
+	if w == nil {
+		return false
+	}
 
 	n := pub.Q.BitLen()
 	if n&7 != 0 {

src/crypto/ecdsa/ecdsa.go

@@ -189,21 +189,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 
 	// See [NSA] 3.4.1
 	c := priv.PublicKey.Curve
-	e := hashToInt(hash, c)
-	r, s, err = sign(priv, &csprng, c, e)
-	return
-}
-
-func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
 	N := c.Params().N
 	if N.Sign() == 0 {
 		return nil, nil, errZeroParam
 	}
-
 	var k, kInv *big.Int
 	for {
 		for {
-			k, err = randFieldElement(c, *csprng)
+			k, err = randFieldElement(c, csprng)
 			if err != nil {
 				r = nil
 				return
@@ -221,6 +214,8 @@ func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve
 				break
 			}
 		}
+
+		e := hashToInt(hash, c)
 		s = new(big.Int).Mul(priv.D, r)
 		s.Add(s, e)
 		s.Mul(s, kInv)
@@ -229,6 +224,7 @@ func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve
 			break
 		}
 	}
+
 	return
 }
 
@@ -246,12 +242,8 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 		return false
 	}
 	e := hashToInt(hash, c)
-	return verify(pub, c, e, r, s)
-}
 
-func verifyGeneric(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
 	var w *big.Int
-	N := c.Params().N
 	if in, ok := c.(invertible); ok {
 		w = in.Inverse(s)
 	} else {

src/crypto/ecdsa/ecdsa_noasm.go

@@ -1,22 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !s390x
-
-package ecdsa
-
-import (
-	"crypto/cipher"
-	"crypto/elliptic"
-	"math/big"
-)
-
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
-	r, s, err = signGeneric(priv, csprng, c, e)
-	return
-}
-
-func verify(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
-	return verifyGeneric(pub, c, e, r, s)
-}

src/crypto/ecdsa/ecdsa_s390x.go

@@ -1,153 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build s390x,!gccgo
-
-package ecdsa
-
-import (
-	"crypto/cipher"
-	"crypto/elliptic"
-	"internal/cpu"
-	"math/big"
-)
-
-// s390x accelerated signatures
-//go:noescape
-func kdsaSig(fc uint64, block *[1720]byte) (errn uint64)
-
-type signverify int
-
-const (
-	signing signverify = iota
-	verifying
-)
-
-// bufferOffsets represents the offset of a particular parameter in
-// the buffer passed to the KDSA instruction.
-type bufferOffsets struct {
-	baseSize       int
-	hashSize       int
-	offsetHash     int
-	offsetKey1     int
-	offsetRNorKey2 int
-	offsetR        int
-	offsetS        int
-	functionCode   uint64
-}
-
-func canUseKDSA(sv signverify, c elliptic.Curve, bo *bufferOffsets) bool {
-	if !cpu.S390X.HasECDSA {
-		return false
-	}
-
-	switch c.Params().Name {
-	case "P-256":
-		bo.baseSize = 32
-		bo.hashSize = 32
-		bo.offsetHash = 64
-		bo.offsetKey1 = 96
-		bo.offsetRNorKey2 = 128
-		bo.offsetR = 0
-		bo.offsetS = 32
-		if sv == signing {
-			bo.functionCode = 137
-		} else {
-			bo.functionCode = 1
-		}
-		return true
-	case "P-384":
-		bo.baseSize = 48
-		bo.hashSize = 48
-		bo.offsetHash = 96
-		bo.offsetKey1 = 144
-		bo.offsetRNorKey2 = 192
-		bo.offsetR = 0
-		bo.offsetS = 48
-		if sv == signing {
-			bo.functionCode = 138
-		} else {
-			bo.functionCode = 2
-		}
-		return true
-	case "P-521":
-		bo.baseSize = 66
-		bo.hashSize = 80
-		bo.offsetHash = 160
-		bo.offsetKey1 = 254
-		bo.offsetRNorKey2 = 334
-		bo.offsetR = 14
-		bo.offsetS = 94
-		if sv == signing {
-			bo.functionCode = 139
-		} else {
-			bo.functionCode = 3
-		}
-		return true
-	}
-	return false
-}
-
-// zeroExtendAndCopy pads src with leading zeros until it has the size given.
-// It then copies the padded src into the dst. Bytes beyond size in dst are
-// not modified.
-func zeroExtendAndCopy(dst, src []byte, size int) {
-	nz := size - len(src)
-	if nz < 0 {
-		panic("src is too long")
-	}
-	// the compiler should replace this loop with a memclr call
-	z := dst[:nz]
-	for i := range z {
-		z[i] = 0
-	}
-	copy(dst[nz:size], src[:size-nz])
-	return
-}
-
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
-	var bo bufferOffsets
-	if canUseKDSA(signing, c, &bo) && e.Sign() != 0 {
-		var buffer [1720]byte
-		for {
-			var k *big.Int
-			k, err = randFieldElement(c, csprng)
-			if err != nil {
-				return nil, nil, err
-			}
-			zeroExtendAndCopy(buffer[bo.offsetHash:], e.Bytes(), bo.hashSize)
-			zeroExtendAndCopy(buffer[bo.offsetKey1:], priv.D.Bytes(), bo.baseSize)
-			zeroExtendAndCopy(buffer[bo.offsetRNorKey2:], k.Bytes(), bo.baseSize)
-			errn := kdsaSig(bo.functionCode, &buffer)
-			if errn == 2 {
-				return nil, nil, errZeroParam
-			}
-			if errn == 0 { // success == 0 means successful signing
-				r = new(big.Int)
-				r.SetBytes(buffer[bo.offsetR : bo.offsetR+bo.baseSize])
-				s = new(big.Int)
-				s.SetBytes(buffer[bo.offsetS : bo.offsetS+bo.baseSize])
-				return
-			}
-			//at this point, it must be that errn == 1: retry
-		}
-	}
-	r, s, err = signGeneric(priv, csprng, c, e)
-	return
-}
-
-func verify(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
-	var bo bufferOffsets
-	if canUseKDSA(verifying, c, &bo) && e.Sign() != 0 {
-		var buffer [1720]byte
-		zeroExtendAndCopy(buffer[bo.offsetR:], r.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetS:], s.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetHash:], e.Bytes(), bo.hashSize)
-		zeroExtendAndCopy(buffer[bo.offsetKey1:], pub.X.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetRNorKey2:], pub.Y.Bytes(), bo.baseSize)
-		errn := kdsaSig(bo.functionCode, &buffer)
-		return errn == 0
-	}
-	return verifyGeneric(pub, c, e, r, s)
-}

src/crypto/ecdsa/ecdsa_s390x.s

@@ -1,31 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-#include "textflag.h"
-
-// func kdsaSig(fc uint64, block *[1720]byte) (errn uint64)
-TEXT ·kdsaSig(SB), NOSPLIT|NOFRAME, $0-24
-	MOVD fc+0(FP), R0    // function code
-	MOVD block+8(FP), R1 // address parameter block
-
-loop:
-	WORD $0xB93A0008 // compute digital signature authentication
-	BVS  loop        // branch back if interrupted
-	BEQ  success     // signature creation successful
-	BGT  retry       // signing unsuccessful, but retry with new CSPRN
-
-error:
-	MOVD $2, R2          // fallthrough indicates fatal error
-	MOVD R2, errn+16(FP) // return 2 - sign/verify abort
-	RET
-
-retry:
-	MOVD $1, R2
-	MOVD R2, errn+16(FP) // return 1 - sign/verify was unsuccessful -- if sign, retry with new RN
-	RET
-
-success:
-	MOVD $0, R2
-	MOVD R2, errn+16(FP) // return 0 - sign/verify was successful
-	RET

src/crypto/ecdsa/ecdsa_s390x_test.go

@@ -1,33 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build s390x,!gccgo
-
-package ecdsa
-
-import (
-	"crypto/elliptic"
-	"testing"
-)
-
-func TestNoAsm(t *testing.T) {
-	curves := [...]elliptic.Curve{
-		elliptic.P256(),
-		elliptic.P384(),
-		elliptic.P521(),
-	}
-
-	for _, curve := range curves {
-		// override the name of the curve to stop the assembly path being taken
-		params := *curve.Params()
-		name := params.Name
-		params.Name = name + "_GENERIC_OVERRIDE"
-
-		testKeyGeneration(t, &params, name)
-		testSignAndVerify(t, &params, name)
-		testNonceSafety(t, &params, name)
-		testINDCCA(t, &params, name)
-		testNegativeInputs(t, &params, name)
-	}
-}

src/crypto/tls/common.go

@@ -794,6 +794,10 @@ var supportedVersions = []uint16{
 func (c *Config) supportedVersions(isClient bool) []uint16 {
 	versions := make([]uint16, 0, len(supportedVersions))
 	for _, v := range supportedVersions {
+		// TLS 1.0 is the default minimum version.
+		if (c == nil || c.MinVersion == 0) && v < VersionTLS10 {
+			continue
+		}
 		if c != nil && c.MinVersion != 0 && v < c.MinVersion {
 			continue
 		}

src/crypto/tls/handshake_server_test.go

@@ -77,6 +77,20 @@ func TestRejectBadProtocolVersion(t *testing.T) {
 	}, "unsupported versions")
 }
 
+func TestSSLv3OptIn(t *testing.T) {
+	config := testConfig.Clone()
+	config.MinVersion = 0
+	testClientHelloFailure(t, config, &clientHelloMsg{
+		vers:   VersionSSL30,
+		random: make([]byte, 32),
+	}, "unsupported versions")
+	testClientHelloFailure(t, config, &clientHelloMsg{
+		vers:              VersionTLS12,
+		supportedVersions: []uint16{VersionSSL30},
+		random:            make([]byte, 32),
+	}, "unsupported versions")
+}
+
 func TestNoSuiteOverlap(t *testing.T) {
 	clientHello := &clientHelloMsg{
 		vers:               VersionTLS10,

src/crypto/x509/pkcs8.go

@@ -79,7 +79,7 @@ func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error) {
 	}
 }
 
-// MarshalPKCS8PrivateKey converts an RSA private key to PKCS#8, ASN.1 DER form.
+// MarshalPKCS8PrivateKey converts a private key to PKCS#8, ASN.1 DER form.
 //
 // The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey
 // and ed25519.PrivateKey. Unsupported key types result in an error.

src/crypto/x509/root_windows.go

@@ -219,10 +219,26 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 	if err != nil {
 		return nil, err
 	}
+	if len(chain) < 1 {
+		return nil, errors.New("x509: internal error: system verifier returned an empty chain")
+	}
 
-	chains = append(chains, chain)
+	// Mitigate CVE-2020-0601, where the Windows system verifier might be
+	// tricked into using custom curve parameters for a trusted root, by
+	// double-checking all ECDSA signatures. If the system was tricked into
+	// using spoofed parameters, the signature will be invalid for the correct
+	// ones we parsed. (We don't support custom curves ourselves.)
+	for i, parent := range chain[1:] {
+		if parent.PublicKeyAlgorithm != ECDSA {
+			continue
+		}
+		if err := parent.CheckSignature(chain[i].SignatureAlgorithm,
+			chain[i].RawTBSCertificate, chain[i].Signature); err != nil {
+			return nil, err
+		}
+	}
 
-	return chains, nil
+	return [][]*Certificate{chain}, nil
 }
 
 func loadSystemRoots() (*CertPool, error) {

src/debug/macho/file_test.go

@@ -5,6 +5,9 @@
 package macho
 
 import (
+	"bytes"
+	"internal/obscuretestdata"
+	"io"
 	"reflect"
 	"testing"
 )
@@ -19,7 +22,7 @@ type fileTest struct {
 
 var fileTests = []fileTest{
 	{
-		"testdata/gcc-386-darwin-exec",
+		"testdata/gcc-386-darwin-exec.base64",
 		FileHeader{0xfeedface, Cpu386, 0x3, 0x2, 0xc, 0x3c0, 0x85},
 		[]interface{}{
 			&SegmentHeader{LoadCmdSegment, 0x38, "__PAGEZERO", 0x0, 0x1000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
@@ -45,7 +48,7 @@ var fileTests = []fileTest{
 		nil,
 	},
 	{
-		"testdata/gcc-amd64-darwin-exec",
+		"testdata/gcc-amd64-darwin-exec.base64",
 		FileHeader{0xfeedfacf, CpuAmd64, 0x80000003, 0x2, 0xb, 0x568, 0x85},
 		[]interface{}{
 			&SegmentHeader{LoadCmdSegment64, 0x48, "__PAGEZERO", 0x0, 0x100000000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
@@ -73,7 +76,7 @@ var fileTests = []fileTest{
 		nil,
 	},
 	{
-		"testdata/gcc-amd64-darwin-exec-debug",
+		"testdata/gcc-amd64-darwin-exec-debug.base64",
 		FileHeader{0xfeedfacf, CpuAmd64, 0x80000003, 0xa, 0x4, 0x5a0, 0},
 		[]interface{}{
 			nil, // LC_UUID
@@ -101,7 +104,7 @@ var fileTests = []fileTest{
 		nil,
 	},
 	{
-		"testdata/clang-386-darwin-exec-with-rpath",
+		"testdata/clang-386-darwin-exec-with-rpath.base64",
 		FileHeader{0xfeedface, Cpu386, 0x3, 0x2, 0x10, 0x42c, 0x1200085},
 		[]interface{}{
 			nil, // LC_SEGMENT
@@ -125,7 +128,7 @@ var fileTests = []fileTest{
 		nil,
 	},
 	{
-		"testdata/clang-amd64-darwin-exec-with-rpath",
+		"testdata/clang-amd64-darwin-exec-with-rpath.base64",
 		FileHeader{0xfeedfacf, CpuAmd64, 0x80000003, 0x2, 0x10, 0x4c8, 0x200085},
 		[]interface{}{
 			nil, // LC_SEGMENT
@@ -149,7 +152,7 @@ var fileTests = []fileTest{
 		nil,
 	},
 	{
-		"testdata/clang-386-darwin.obj",
+		"testdata/clang-386-darwin.obj.base64",
 		FileHeader{0xfeedface, Cpu386, 0x3, 0x1, 0x4, 0x138, 0x2000},
 		nil,
 		nil,
@@ -184,7 +187,7 @@ var fileTests = []fileTest{
 		},
 	},
 	{
-		"testdata/clang-amd64-darwin.obj",
+		"testdata/clang-amd64-darwin.obj.base64",
 		FileHeader{0xfeedfacf, CpuAmd64, 0x3, 0x1, 0x4, 0x200, 0x2000},
 		nil,
 		nil,
@@ -221,11 +224,47 @@ var fileTests = []fileTest{
 	},
 }
 
+func readerAtFromObscured(name string) (io.ReaderAt, error) {
+	b, err := obscuretestdata.ReadFile(name)
+	if err != nil {
+		return nil, err
+	}
+	return bytes.NewReader(b), nil
+}
+
+func openObscured(name string) (*File, error) {
+	ra, err := readerAtFromObscured(name)
+	if err != nil {
+		return nil, err
+	}
+	ff, err := NewFile(ra)
+	if err != nil {
+		return nil, err
+	}
+	return ff, nil
+}
+
+func openFatObscured(name string) (*FatFile, error) {
+	ra, err := readerAtFromObscured(name)
+	if err != nil {
+		return nil, err
+	}
+	ff, err := NewFatFile(ra)
+	if err != nil {
+		return nil, err
+	}
+	return ff, nil
+}
+
 func TestOpen(t *testing.T) {
 	for i := range fileTests {
 		tt := &fileTests[i]
 
-		f, err := Open(tt.file)
+		// Use obscured files to prevent Apple’s notarization service from
+		// mistaking them as candidates for notarization and rejecting the entire
+		// toolchain.
+		// See golang.org/issue/34986
+		f, err := openObscured(tt.file)
 		if err != nil {
 			t.Error(err)
 			continue
@@ -318,7 +357,7 @@ func TestOpenFailure(t *testing.T) {
 }
 
 func TestOpenFat(t *testing.T) {
-	ff, err := OpenFat("testdata/fat-gcc-386-amd64-darwin-exec")
+	ff, err := openFatObscured("testdata/fat-gcc-386-amd64-darwin-exec.base64")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -350,8 +389,8 @@ func TestOpenFatFailure(t *testing.T) {
 		t.Errorf("OpenFat %s: succeeded unexpectedly", filename)
 	}
 
-	filename = "testdata/gcc-386-darwin-exec" // not a fat Mach-O
-	ff, err := OpenFat(filename)
+	filename = "testdata/gcc-386-darwin-exec.base64" // not a fat Mach-O
+	ff, err := openFatObscured(filename)
 	if err != ErrNotFat {
 		t.Errorf("OpenFat %s: got %v, want ErrNotFat", filename, err)
 	}

src/debug/macho/testdata/clang-386-darwin.obj.base64

@@ -0,0 +1 @@
+zvrt/gcAAAADAAAAAQAAAAQAAAA4AQAAACAAAAEAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7AAAAVAEAADsAAAAHAAAABwAAAAIAAAAAAAAAX190ZXh0AAAAAAAAAAAAAF9fVEVYVAAAAAAAAAAAAAAAAAAALQAAAFQBAAAEAAAAkAEAAAMAAAAABACAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19URVhUAAAAAAAAAAAAAC0AAAAOAAAAgQEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAACQAAAAQAAAAAAwKAAAAAAACAAAAGAAAAKgBAAACAAAAwAEAABAAAAALAAAAUAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFWJ5YPsGOgAAAAAWI2AIgAAAMdF/AAAAACJBCTo3////zHJiUX4iciDxBhdw2hlbGxvLCB3b3JsZAoAAB0AAAABAAANDgAApC0AAAAAAAChCwAAAAEAAAAPAQAAAAAAAAcAAAABAAAAAAAAAABfbWFpbgBfcHJpbnRmAAA=

src/debug/macho/testdata/clang-amd64-darwin.obj.base64

@@ -0,0 +1 @@
+z/rt/gcAAAEDAAAAAQAAAAQAAAAAAgAAACAAAAAAAAAZAAAAiAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJgAAAAAAAAAIAIAAAAAAACYAAAAAAAAAAcAAAAHAAAABAAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAAAAAAAAAAAAKgAAAAAAAAAgAgAABAAAALgCAAACAAAAAAQAgAAAAAAAAAAAAAAAAF9fY3N0cmluZwAAAAAAAABfX1RFWFQAAAAAAAAAAAAAKgAAAAAAAAAOAAAAAAAAAEoCAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAX19jb21wYWN0X3Vud2luZF9fTEQAAAAAAAAAAAAAAAA4AAAAAAAAACAAAAAAAAAAWAIAAAMAAADIAgAAAQAAAAAAAAIAAAAAAAAAAAAAAABfX2VoX2ZyYW1lAAAAAAAAX19URVhUAAAAAAAAAAAAAFgAAAAAAAAAQAAAAAAAAAB4AgAAAwAAAAAAAAAAAAAACwAAaAAAAAAAAAAAAAAAACQAAAAQAAAAAAwKAAAAAAACAAAAGAAAANACAAACAAAA8AIAABAAAAALAAAAUAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFVIieVIg+wQSI09GwAAAMdF/AAAAACwAOgAAAAAMcmJRfiJyEiDxBBdw2hlbGxvLCB3b3JsZAoAAAAAAAAAAAAqAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAUAAAAAAAAAAF6UgABeBABEAwHCJABAAAkAAAAHAAAAIj/////////KgAAAAAAAAAAQQ4QhgJDDQYAAAAAAAAAGQAAAAEAAC0LAAAAAgAAFQAAAAABAAAGAQAAAA8BAAAAAAAAAAAAAAcAAAABAAAAAAAAAAAAAAAAX21haW4AX3ByaW50ZgAA