Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vgo: unknown whether modules match the original commit #23992

Closed
mpx opened this issue Feb 21, 2018 · 2 comments

Comments

@mpx
Copy link
Contributor

commented Feb 21, 2018

go version go1.10 linux/amd64 vgo:2018-02-20.1

vgo does not have enough info in go.mod to ensure the retrieved modules are the same that used when originally committed. There are several reasons why fetching modules for a particular tag might return something different (an updated tag, interference, bugs,..).

Ideally vgo should be able to confidently build the same modules in use when originally committed, or make it obvious if it has changed.

Some companies may partially mitigate this by providing their own source retrieval infrastructure to assist with reproducible builds, but this won't be an option for most Go users, and vgo would still need to trust the infrastructure and assume the build was correct. It also doesn't solve the problem with the initial fetch.

Perhaps a hash could be added for each module specified in go.mod, similar to existing vendoring tools? Eg: require "github.com/foo/bar" v1.2.3 sha256:2dc84245...b18cca39

@gopherbot gopherbot added this to the vgo milestone Feb 21, 2018

@seeruk

This comment has been minimized.

Copy link

commented Feb 21, 2018

This is pretty much the only issue I've seen raised internally where I work when we've been discussing this new tooling. Git tags are mutable, and that's a huge problem for something like this, it's a huge problem that lock files help to mitigate easily for a lot of use-cases.

@balasanjay

This comment has been minimized.

Copy link
Contributor

commented Feb 22, 2018

The latest vgo article is on this topic: https://research.swtch.com/vgo-repro.

tl;dr: Seems like creating an empty "go.modverify" in your repository will have vgo catch any instance where source changes underneath a given version.

@kardianos kardianos closed this Feb 28, 2018

@golang golang locked and limited conversation to collaborators Feb 28, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
5 participants
You can’t perform that action at this time.