cmd/go/internal/modfetch: check go.mod content using go.sum

go.sum (formerly go.modverify) already contains lines like

	github.com/pkg/foo v1.2.3 h1:hashhashhashhashhash

where the hash is a checksum over the whole file tree of the module.
After this CL, it will also contain lines like:

	github.com/pkg/foo v1.2.3/go.mod h1:hashhashhashhashhash

(note the /go.mod suffix on the version), where the hash is a checksum
over the one-file tree containing only the go.mod for that module.
This hash is recorded even for auto-generated go.mod files,
because no matter how it arises, the exact go.mod is important
for later reproducibility.

Fixes golang/go#25526.

Change-Id: Ib0ff32f45dd30421907f3ba181db726c7ac9379c
Reviewed-on: https://go-review.googlesource.com/121301
Reviewed-by: Bryan C. Mills <bcmills@google.com>
5 files changed
tree: 59c5dc1dbc8fd20345888f3b7de3181bc46151e8
  1. AUTHORS
  2. CONTRIBUTING.md
  3. CONTRIBUTORS
  4. LICENSE
  5. PATENTS
  6. README.md
  7. codereview.cfg
  8. main.go
  9. vendor/
README.md

Versioned Go Prototype (vgo)

This repository holds a prototype of what the go command might look like with integrated support for package versioning.

See research.swtch.com/vgo for documents about the design.

Download/Install

Use go get -u golang.org/x/vgo.

You can also manually git clone the repository to $GOPATH/src/golang.org/x/vgo.

Report Issues / Send Patches

See CONTRIBUTING.md.

This is still a very early prototype. You are likely to run into bugs. Please file bugs in the main Go issue tracker, golang.org/issue, and put the prefix x/vgo: in the issue title.

Thank you.