cmd/go: describe difference in `go mod verify` vs verification during 'go mod tidy'

[hyangah]

What version of Go are you using (go version)?

$ gotip version
go version devel +ef3ef8fcdf Wed Dec 11 15:43:50 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ gotip env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="$HOME/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="$HOME/golang/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="$HOME/golang/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/tmp/s/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build777528967=/tmp/go-build -gno-record-gcc-switches"

What did you do?

tainted the hash in the go.sum file in workspace (e.g. modifying the hash values manually) and ran go mod tidy and go mod verify

What did you expect to see?

go mod verify reports the problem.

What did you see instead?

go mod verify reports everything is all good.
Thankfully, go mod tidy detects the problem.

$ go mod verify
all modules verified
$  go mod tidy
verifying golang.org/x/text@v0.0.0-20170915032832-14c0d48ead0c: checksum mismatch
	downloaded: h1:qgOY6WgZOaTkIIMiVjBQcw93ERBE4m30iBm00nkL0i8=
	go.sum:     h1:qgOY6WgZOaTkIIMiVjBQcw93ERBE4m30iBm00nkl0i8=

SECURITY ERROR
...

I guess it's because go mod verify checks only whether the version in the cache is valid. go mod help verify implies that already, but I found this behavior somewhat surprising.

[mvdan]

Hm, it sounds like a bug to me if go mod tidy verifies more stuff than go mod verify. Why not make verify exhaustive?

[jayconrod]

@mvdan Agreed that verify should be exhaustive.

All commands that download modules will check sums when those modules are ingested into the cache.

go mod verify checks the sums of modules that are already in the cache. It doesn't download anything that's not already there though. I don't think it looks at go.sum. Its purpose is to detect tampering with the cache after modules are downloaded.

[mvdan]

I'm not sure if I follow the entire puzzle. To feel entirely safe, I'd assume that go mod verify would do all the consistency checks that go mod tidy does, and would also:

1. Verify that go.sum agrees with the module proxy, e.g. proxy.golang.org
2. Verify that the module cache agrees with go.sum

Part 1 would probably need to be best-effort, due to env vars like GOPROXY and GONOSUMDB, but I think that's fine.

If that's what you mean, all good. When you said "go mod verify doesn't look at go.sum", what I understood is that there isn't a bug to fix here, as it's working as intended.