Skip to content

/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: allow verifying vendored code #27348

Open
krancour opened this issue Aug 29, 2018 · 1 comment
Labels
FeatureRequest NeedsInvestigation modules
Milestone
Backlog

Comments

@krancour
Copy link

@krancour krancour commented Aug 29, 2018

go mod verify is extremely useful for validating the integrity of modules in the local cache.

It would be great if projects that choose to vendor their modules (then presumably building with go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.

This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.
@FiloSottile FiloSottile added this to the Go1.12 milestone Aug 29, 2018
@FiloSottile FiloSottile changed the title cmd/go: feature request: verify vendored code cmd/go: allow verifying vendored code Aug 29, 2018
@bcmills bcmills referenced this issue Oct 11, 2018
Closed
@bcmills bcmills modified the milestones: Go1.12, Go1.13 Oct 25, 2018
@bcmills bcmills referenced this issue Nov 16, 2018
Closed
@bcmills bcmills referenced this issue Dec 3, 2018
Closed
@bcmills bcmills referenced this issue Jan 30, 2019
Closed
This was referenced Feb 15, 2019
Closed
Open
@bcmills

This comment has been minimized.

Sign in to view
Copy link
Member

@bcmills bcmills commented Feb 15, 2019

This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!)

I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.
@bcmills bcmills modified the milestones: Go1.13, Unplanned Feb 15, 2019
stp-ip added a commit to stp-ip/caddy that referenced this issue Mar 5, 2019
@stp-ip
Remove vendor check until supported by go mod verify
e435af0 
Tracking issue: golang/go#27348
@sixolet sixolet referenced this issue Apr 5, 2019
Merged
@amshinde amshinde referenced this issue Jul 31, 2019
Closed
amshinde added a commit to kata-containers/tests that referenced this issue Jul 31, 2019
@amshinde
modules: Verification for go modules
Loading status checks…
1e1ffaa 
While we move to go modules, perform the dep check for repos
that still use dep.
Run `go mod verify` instead for go modules.
Note, this just verifies the integrity of modules in the local
cache. We would have instead wanted to verify the vendored code
here, but that is still not supported.
golang/go#27348

Fixes #1879

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
@amshinde amshinde referenced this issue Jul 31, 2019
Merged
@bcmills bcmills modified the milestones: Unplanned, Go1.14 Aug 15, 2019
@bcmills bcmills referenced this issue Aug 26, 2019
Closed
@na-- na-- referenced this issue Sep 11, 2019
Open
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
stevendanna added a commit to chef/automate that referenced this issue Nov 4, 2019
@stevendanna
fix change to vendored files
Verified
This commit was signed with a verified signature.
stevendanna Steven Danna
GPG key ID: 94DFB46E861A7DAE Learn about signing commits
Loading status checks…
d73f30b 
`go mod verify` does not verify the vendored copies of
dependencies:

golang/go#27348

As such, it seems that this change snuck in. This commit is the result
of commit the all changes produced by `make revendor` on master.

Signed-off-by: Steven Danna <steve@chef.io>
@stevendanna stevendanna referenced this issue Nov 4, 2019
Merged
stevendanna added a commit to chef/automate that referenced this issue Nov 4, 2019
@stevendanna
fix change to vendored files (#2102)
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
1ca18af 
`go mod verify` does not verify the vendored copies of
dependencies:

golang/go#27348

As such, it seems that this change snuck in. This commit is the result
of commit the all changes produced by `make revendor` on master.

Signed-off-by: Steven Danna <steve@chef.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FeatureRequest NeedsInvestigation modules
Projects
None yet
Milestone
  Backlog
4 participants
@krancour @bcmills @rsc @FiloSottile
You can’t perform that action at this time.