Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: use version control to discover the main module's version? #29814
When a binary is build from within a module's source tree, the output from
If the source tree is a pristine checkout from a version-control system — or is within the (read-only) module cache — we could instead interrogate the version-control system to find the corresponding version or pseudo-version to embed.
However, that has a couple of caveats:
This would be valuable to users, but we should be really careful, and we should leverage our module verification infrastructure as much as we can.
I wonder if how far we can get just with
I'm not sure what the threat model is exactly, but I'd be worried about people trusting these stamps for authenticating binaries. A malicious user could rig up local VCS tools to tell cmd/go a module is pristine or is checked out from a certain tag when it really isn't.