| commit | 1d3e6141fcb3b8adaf02512d0c049a7aa5e386b4 | [log] [tgz] |
|---|---|---|
| author | Russ Cox <rsc@golang.org> | Wed Jun 27 16:39:56 2018 -0400 |
| committer | Russ Cox <rsc@golang.org> | Fri Jun 29 04:14:05 2018 +0000 |
| tree | 59c5dc1dbc8fd20345888f3b7de3181bc46151e8 | |
| parent | cd1f2ee17589ba3f7f17471441f18612f864e850 [diff] |
cmd/go/internal/modfetch: check go.mod content using go.sum go.sum (formerly go.modverify) already contains lines like github.com/pkg/foo v1.2.3 h1:hashhashhashhashhash where the hash is a checksum over the whole file tree of the module. After this CL, it will also contain lines like: github.com/pkg/foo v1.2.3/go.mod h1:hashhashhashhashhash (note the /go.mod suffix on the version), where the hash is a checksum over the one-file tree containing only the go.mod for that module. This hash is recorded even for auto-generated go.mod files, because no matter how it arises, the exact go.mod is important for later reproducibility. Fixes golang/go#25526. Change-Id: Ib0ff32f45dd30421907f3ba181db726c7ac9379c Reviewed-on: https://go-review.googlesource.com/121301 Reviewed-by: Bryan C. Mills <bcmills@google.com>
This repository holds a prototype of what the go command might look like with integrated support for package versioning.
See research.swtch.com/vgo for documents about the design.
Use go get -u golang.org/x/vgo.
You can also manually git clone the repository to $GOPATH/src/golang.org/x/vgo.
See CONTRIBUTING.md.
This is still a very early prototype. You are likely to run into bugs. Please file bugs in the main Go issue tracker, golang.org/issue, and put the prefix x/vgo: in the issue title.
Thank you.