|author||Russ Cox <email@example.com>||Wed Jun 27 16:39:56 2018 -0400|
|committer||Russ Cox <firstname.lastname@example.org>||Fri Jun 29 04:14:05 2018 +0000|
cmd/go/internal/modfetch: check go.mod content using go.sum go.sum (formerly go.modverify) already contains lines like github.com/pkg/foo v1.2.3 h1:hashhashhashhashhash where the hash is a checksum over the whole file tree of the module. After this CL, it will also contain lines like: github.com/pkg/foo v1.2.3/go.mod h1:hashhashhashhashhash (note the /go.mod suffix on the version), where the hash is a checksum over the one-file tree containing only the go.mod for that module. This hash is recorded even for auto-generated go.mod files, because no matter how it arises, the exact go.mod is important for later reproducibility. Fixes golang/go#25526. Change-Id: Ib0ff32f45dd30421907f3ba181db726c7ac9379c Reviewed-on: https://go-review.googlesource.com/121301 Reviewed-by: Bryan C. Mills <email@example.com>
This repository holds a prototype of what the go command might look like with integrated support for package versioning.
See research.swtch.com/vgo for documents about the design.
go get -u golang.org/x/vgo.
You can also manually git clone the repository to
This is still a very early prototype. You are likely to run into bugs. Please file bugs in the main Go issue tracker, golang.org/issue, and put the prefix
x/vgo: in the issue title.