Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
x/vgo: create go.modverify by default #24116
The security provided by go.modverify should not be opt-in.
I elaborated on why locking hashes into repositories is so important at https://groups.google.com/d/msg/golang-dev/MNQwgYHMEcY/Jl-piUJ_CgAJ
There is no reason we should encourage not using it, at least not until we have a solid story about alternative verification methods.
As I wrote on #24117:
Especially if we do have a solid plan for alternate verification methods, there is no point to littering everyone's repos with go.modverify files that will not be necessary in the long run.