Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upcmd/go: allow verifying vendored code #27348
Comments
FiloSottile
changed the title
|
This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!) I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet. |
Tracking issue: golang/go#27348
While we move to go modules, perform the dep check for repos that still use dep. Run `go mod verify` instead for go modules. Note, this just verifies the integrity of modules in the local cache. We would have instead wanted to verify the vendored code here, but that is still not supported. golang/go#27348 Fixes #1879 Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
`go mod verify` does not verify the vendored copies of dependencies: golang/go#27348 As such, it seems that this change snuck in. This commit is the result of commit the all changes produced by `make revendor` on master. Signed-off-by: Steven Danna <steve@chef.io>
`go mod verify` does not verify the vendored copies of dependencies: golang/go#27348 As such, it seems that this change snuck in. This commit is the result of commit the all changes produced by `make revendor` on master. Signed-off-by: Steven Danna <steve@chef.io>
@bcmills is there an update on this? Switching from dep to go mod means losing the ability to verify vendored dependencies before performing builds, etc, which is a big concern. |
|
@sgreene570, note that in the interim you can simply re-run Verifying the checksums of the vendored modules requires the full module content (because that is what is checksummed), so either way you're going to have to download the full module into the local module cache. |
|
This functionality would also be useful for #36852. |
|
@jayconrod, @matloob: I think we should aim to get this implemented for 1.15. |
|
Do you still hope to get this into 1.15? |
|
No, it's definitely not happening for 1.15. |
go mod verifyis extremely useful for validating the integrity of modules in the local cache.It would be great if projects that choose to vendor their modules (then presumably building with
go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.