Related to #74380.

The Go toolchain will invoke VCS commands in some situations in order to learn about the current state of a module, and in some circumstances embed information about said state in binaries.

In https://go.dev/cl/686515 we protected against the scenario where multiple VCS appeared to be present in order to prevent attacks wherein one VCS was used to retrieve a module which contained configuration metadata for another VCS. This change doesn't protect against the scenario where a module is retrieved using another non-VCS, non-toolchain method, such as downloading an archive file, which may contain malicious VCS configuration information.

There is no way for the toolchain to know if the VCS metadata in a module directory is safe or unsafe, and we currently assume that the user controls, and trusts, said directory for the purposes of invoking VCS commands.

One possible solution to this is to attempt to defensively unset certain VCS configuration options when invoking VCS commands (such as the Git core.fsmonitor option), in order to prevent the toolchain for executing unexpected commands when operating in untrusted directories.

Enumerating the list of dangerous VCS configuration options is likely to be a significant amount of work, and keeping it up to date is equally complex (not all that dissimilar to the dangerous CGO compiler/linker option disallow list we maintain.) Additionally, in trusted directories, unsetting some of these options may result in performance degradations, or other unwanted behavior. Because of this we'd likely want to introduce a GODEBUG that allows disabling this behavior.

cc @golang/command-line @golang/security