Google Git
Sign in
go / mod / a410e2daa716f879ede62862a0351cad3606d11b
commita410e2daa716f879ede62862a0351cad3606d11b[log] [tgz]
authorFilippo Valsorda <hi@filippo.io>Wed Nov 17 16:25:38 2021 -0500
committerFilippo Valsorda <filippo@golang.org>Wed Mar 30 20:52:26 2022 +0000
tree64901af172c7563babf5153ff6ad615e31e4e39a
parent9b9b3d81d5e39b22d65814a8daf6723f3035d813 [diff]
sumdb/note: catch a Verifiers that returns the wrong Verifier

The Verifier method gets the name and hash of the signature, and is
supposed to only return a Verifier for that name and hash. If it
doesn't, we can catch it by double checking the KeyHash and Name method
return values against the signature.

Change-Id: I39b2e3616ac389718ebc7eaa6263a43b9152b2fa
Reviewed-on: https://go-review.googlesource.com/c/mod/+/364854
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Al Cutter <alcutter@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
2 files changed
tree: 64901af172c7563babf5153ff6ad615e31e4e39a
  1. gosumcheck/
  2. internal/
  3. modfile/
  4. module/
  5. semver/
  6. sumdb/
  7. zip/
  8. codereview.cfg
  9. go.mod
  10. go.sum
  11. LICENSE
  12. PATENTS
  13. README.md
README.md

mod

PkgGoDev

This repository holds packages for writing tools that work directly with Go module mechanics. That is, it is for direct manipulation of Go modules themselves.

It is NOT about supporting general development tools that need to do things like load packages in module mode. That use case, where modules are incidental rather than the focus, should remain in x/tools, specifically x/tools/go/packages.

The specific case of loading packages should still be done by invoking the go command, which remains the single point of truth for package loading algorithms.