cmd/go: describe difference in `go mod verify` vs verification during 'go mod tidy' #36130
Comments
Hm, it sounds like a bug to me if |
@mvdan Agreed that All commands that download modules will check sums when those modules are ingested into the cache.
|
I'm not sure if I follow the entire puzzle. To feel entirely safe, I'd assume that
Part 1 would probably need to be best-effort, due to env vars like If that's what you mean, all good. When you said " |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
tainted the hash in the
go.sum
file in workspace (e.g. modifying the hash values manually) and rango mod tidy
andgo mod verify
What did you expect to see?
go mod verify
reports the problem.What did you see instead?
go mod verify
reports everything is all good.Thankfully,
go mod tidy
detects the problem.I guess it's because
go mod verify
checks only whether the version in the cache is valid.go mod help verify
implies that already, but I found this behavior somewhat surprising.The text was updated successfully, but these errors were encountered: