Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upcmd/go: allow verifying vendored code #27348
Comments
FiloSottile
added
NeedsInvestigation
FeatureRequest
modules
labels
Aug 29, 2018
FiloSottile
added this to the Go1.12 milestone
Aug 29, 2018
FiloSottile
changed the title
cmd/go: feature request: verify vendored code
cmd/go: allow verifying vendored code
Aug 29, 2018
bcmills
referenced this issue
Oct 11, 2018
Closed
cmd/go: go mod vendor does not produce a consistent modules.txt #28102
bcmills
modified the milestones:
Go1.12,
Go1.13
Oct 25, 2018
bcmills
referenced this issue
Dec 3, 2018
Open
cmd/go: the vendor/ folder should be kept up to date if present #29058
bcmills
referenced this issue
Jan 30, 2019
Open
cmd/go: should default to use mod=vendor flag if the vendor folder exists #27227
This was referenced Feb 15, 2019
This comment has been minimized.
This comment has been minimized.
|
This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!) I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet. |
bcmills
modified the milestones:
Go1.13,
Unplanned
Feb 15, 2019
added a commit
to stp-ip/caddy
that referenced
this issue
Mar 5, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
krancour commentedAug 29, 2018
go mod verifyis extremely useful for validating the integrity of modules in the local cache.It would be great if projects that choose to vendor their modules (then presumably building with
go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.