Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: allow verifying vendored code #27348

Open
krancour opened this issue Aug 29, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@krancour
Copy link

commented Aug 29, 2018

go mod verify is extremely useful for validating the integrity of modules in the local cache.

It would be great if projects that choose to vendor their modules (then presumably building with go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.

This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.

@bcmills

This comment has been minimized.

Copy link
Member

commented Feb 15, 2019

This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!)

I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.

@bcmills bcmills modified the milestones: Go1.13, Unplanned Feb 15, 2019

stp-ip added a commit to stp-ip/caddy that referenced this issue Mar 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.