You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not yet. We're fixing one thing at a time. The first thing to fix is management of versions at all. The second thing is verification. There's no need to do both at once. We've gotten by this long with "go get" with no modverify. Let's get versions into go first, and then turn our attention to verifying.
Especially if we do have a solid plan for alternate verification methods, there is no point to littering everyone's repos with go.modverify files that will not be necessary in the long run.
The security provided by go.modverify should not be opt-in.
I elaborated on why locking hashes into repositories is so important at https://groups.google.com/d/msg/golang-dev/MNQwgYHMEcY/Jl-piUJ_CgAJ
There is no reason we should encourage not using it, at least not until we have a solid story about alternative verification methods.
The text was updated successfully, but these errors were encountered: