Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
proposal: cmd/go: use go.sum hashes from all downloaded modules #28802
Rather than maintaining a global
Here is my rationale:
To allow such errors to be corrected over time, it is important that we ignore the contents of
On the other hand, if we build code from a module using some version of a dependency known to that module, it is important that we use the same version it was (or may have been) tested against. This is especially important for builds performed outside of any module (#24250): in that case there is no root
In contrast to a “global”
This was referenced
Nov 14, 2018
I like this; checking more just isn't likely to hurt (apart from more CPU & IO burned).
I'm not sure it's really in any way in conflict with a "global" (per-user) go.sum, though. The global go.sum's job is to make the TOFU security property sticky to the user, not to the project. For example, if you start a new project and
Then again, TOFU on this level doesn't prevent a new version from being malware, so the extra assurance is pretty small...
Per in-person discussion this morning, this has a clear benefit when operating outside of any main module, but it's much less obvious inside a module (where there is generally already a single, authoritative
For 1.13, I'll send a CL to enable it only in the former case, and we can consider expanding it depending on how that goes.