commit | a410e2daa716f879ede62862a0351cad3606d11b | [log] [tgz] |
---|---|---|
author | Filippo Valsorda <hi@filippo.io> | Wed Nov 17 16:25:38 2021 -0500 |
committer | Filippo Valsorda <filippo@golang.org> | Wed Mar 30 20:52:26 2022 +0000 |
tree | 64901af172c7563babf5153ff6ad615e31e4e39a | |
parent | 9b9b3d81d5e39b22d65814a8daf6723f3035d813 [diff] |
sumdb/note: catch a Verifiers that returns the wrong Verifier The Verifier method gets the name and hash of the signature, and is supposed to only return a Verifier for that name and hash. If it doesn't, we can catch it by double checking the KeyHash and Name method return values against the signature. Change-Id: I39b2e3616ac389718ebc7eaa6263a43b9152b2fa Reviewed-on: https://go-review.googlesource.com/c/mod/+/364854 Trust: Filippo Valsorda <filippo@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Al Cutter <alcutter@google.com> Reviewed-by: Russ Cox <rsc@golang.org>
This repository holds packages for writing tools that work directly with Go module mechanics. That is, it is for direct manipulation of Go modules themselves.
It is NOT about supporting general development tools that need to do things like load packages in module mode. That use case, where modules are incidental rather than the focus, should remain in x/tools, specifically x/tools/go/packages.
The specific case of loading packages should still be done by invoking the go command, which remains the single point of truth for package loading algorithms.