You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been working under the assumption that backward compatibility promises would extend to "go mod vendor". This way, developers using 1.23.x and 1.22.x won't have thrashing changes when working on the same module.
The text was updated successfully, but these errors were encountered:
I tried changing GOROOT to point at the repository directory, and that seems to make go1.23.0 mod vendor reproducible. The golang.org/x/crypto/sha3 seems to be bleeding through from 1.23.0's GOROOT.
I suppose this might be reasonable: go mod treats the imports in the std module as imports of the go1.23.0 standard library because that's what GOROOT is pointing at, so go1.23.0 mod vendor finds those dependencies in that source and vendors them. If this is true, then maybe this is special with std and doesn't affect ordinary Go development.
I'm not sure how this is intended to work, but maybe it's fine if documented in README.vendor?
Go version
go version go1.23.0 linux/amd64
Output of
go env
in your module/workspace:What did you do?
After checking out go1.22.6, in
src
:(Used https://pkg.go.dev/golang.org/dl to download both Go versions.)
What did you see happen?
The first
git diff
has no output. This means go1.22.6's vendor directory is reproducible when I run Go 1.22.6.The second
git diff
shows:(The golang.org/x/crypto/sha3 source is also added into
vendor/
.)What did you expect to see?
I expected reproducible results both times.
I filed this based on https://groups.google.com/g/golang-nuts/c/BEsmO16g37I, where I mentioned why this is what I expected:
The text was updated successfully, but these errors were encountered: