Description
In #26334, particularly #26334 (comment), we decided that the go command should only try the the next proxy in GOPROXY if it received a deliberate not found (404/410) response. This prevents unwanted leakage of private module paths in case a private proxy has an outage -- if the go command tried the next proxy on 500s, it would leak the request to proxy.golang.org or any other public proxy in the chain.
For public proxies like proxy.golang.org, this argument doesn't apply. Falling back from a public proxy, particularly to direct, should be much less risky. The only information leaked is that a particular IP address wants a public module, which must by definition have been public to be served by the public proxy in the first place. And that's not a new risk -- public proxies are free to serve a 404 whenever they want.
Therefore, allowing fallback on all errors would improve reliability of the ecosystem with only minimal costs. As a strawman, we could support | delimiters, which would be used like:
GOPROXY=goproxy.corp,proxy.golang.org|direct
meaning to require an affirmative response from goproxy.corp, then try proxy.golang.org and fall back to direct on any failure, expected or otherwise. Precisely, | after an entry means "if the prior entry fails in any way, continue to the next entry".
The default value of GOPROXY would presumably then change to GOPROXY=proxy.golang.org|direct.
@FiloSottile just in case there are security implications, but I'm pretty sure sum.golang.org covers this same as it does anything else.