x/vgo: create go.modverify by default #24116

FiloSottile · 2018-02-25T15:23:47Z

The security provided by go.modverify should not be opt-in.

I elaborated on why locking hashes into repositories is so important at https://groups.google.com/d/msg/golang-dev/MNQwgYHMEcY/Jl-piUJ_CgAJ

There is no reason we should encourage not using it, at least not until we have a solid story about alternative verification methods.

rsc · 2018-03-30T15:49:13Z

As I wrote on #24117:

Not yet. We're fixing one thing at a time. The first thing to fix is management of versions at all. The second thing is verification. There's no need to do both at once. We've gotten by this long with "go get" with no modverify. Let's get versions into go first, and then turn our attention to verifying.

Especially if we do have a solid plan for alternate verification methods, there is no point to littering everyone's repos with go.modverify files that will not be necessary in the long run.

gopherbot added this to the vgo milestone Feb 25, 2018

FiloSottile mentioned this issue Feb 25, 2018

cmd/go: maintain a GOPATH-wide go.sum #24117

Closed

rsc closed this as completed Mar 30, 2018

golang locked and limited conversation to collaborators Mar 30, 2019

gopherbot added the FrozenDueToAge label Mar 30, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vgo: create go.modverify by default #24116

x/vgo: create go.modverify by default #24116

FiloSottile commented Feb 25, 2018 •

edited

rsc commented Mar 30, 2018

x/vgo: create go.modverify by default #24116

x/vgo: create go.modverify by default #24116

Comments

FiloSottile commented Feb 25, 2018 • edited

rsc commented Mar 30, 2018

FiloSottile commented Feb 25, 2018 •

edited