Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: allow verifying vendored code #27348

Open
krancour opened this issue Aug 29, 2018 · 7 comments
Open

cmd/go: allow verifying vendored code #27348

krancour opened this issue Aug 29, 2018 · 7 comments

Comments

@krancour
Copy link

@krancour krancour commented Aug 29, 2018

go mod verify is extremely useful for validating the integrity of modules in the local cache.

It would be great if projects that choose to vendor their modules (then presumably building with go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.

This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.

@bcmills
Copy link
Member

@bcmills bcmills commented Feb 15, 2019

This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!)

I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.

@bcmills bcmills modified the milestones: Go1.13, Unplanned Feb 15, 2019
stp-ip added a commit to stp-ip/caddy that referenced this issue Mar 5, 2019
amshinde added a commit to kata-containers/tests that referenced this issue Jul 31, 2019
While we move to go modules, perform the dep check for repos
that still use dep.
Run `go mod verify` instead for go modules.
Note, this just verifies the integrity of modules in the local
cache. We would have instead wanted to verify the vendored code
here, but that is still not supported.
golang/go#27348

Fixes #1879

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
@bcmills bcmills modified the milestones: Unplanned, Go1.14 Aug 15, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
stevendanna added a commit to chef/automate that referenced this issue Nov 4, 2019
`go mod verify` does not verify the vendored copies of
dependencies:

golang/go#27348

As such, it seems that this change snuck in. This commit is the result
of commit the all changes produced by `make revendor` on master.

Signed-off-by: Steven Danna <steve@chef.io>
stevendanna added a commit to chef/automate that referenced this issue Nov 4, 2019
`go mod verify` does not verify the vendored copies of
dependencies:

golang/go#27348

As such, it seems that this change snuck in. This commit is the result
of commit the all changes produced by `make revendor` on master.

Signed-off-by: Steven Danna <steve@chef.io>
@sgreene570
Copy link

@sgreene570 sgreene570 commented Jan 2, 2020

I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.

@bcmills is there an update on this? Switching from dep to go mod means losing the ability to verify vendored dependencies before performing builds, etc, which is a big concern.

@bcmills
Copy link
Member

@bcmills bcmills commented Jan 10, 2020

@sgreene570, note that in the interim you can simply re-run go mod vendor and check for diffs.

Verifying the checksums of the vendored modules requires the full module content (because that is what is checksummed), so either way you're going to have to download the full module into the local module cache.

@bcmills
Copy link
Member

@bcmills bcmills commented Jan 31, 2020

This functionality would also be useful for #36852.

@bcmills
Copy link
Member

@bcmills bcmills commented Jan 31, 2020

@jayconrod, @matloob: I think we should aim to get this implemented for 1.15.

@bcmills bcmills modified the milestones: Backlog, Go1.15 Jan 31, 2020
@sykesm sykesm mentioned this issue Mar 31, 2020
0 of 3 tasks complete
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented May 19, 2020

Do you still hope to get this into 1.15?

@bcmills bcmills modified the milestones: Go1.15, Go1.16 May 19, 2020
@bcmills
Copy link
Member

@bcmills bcmills commented May 19, 2020

No, it's definitely not happening for 1.15.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.