You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This was noticed via renovatebot/renovate#3017, I didn't manage to find any details of what should be in go.sum. go get -d populates go.sum file with different content if a dependency present in go.mod is used or not
package main
import _ "gopkg.in/yaml.v2"
func main() {}
Running go get creates a go.sum file:
$ GO111MODULE=on go get -d
$ cat go.sum
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
If I remove import _ "gopkg.in/yaml.v2" line from main.go so that it contains:
package main
func main() {}
Remove go.sum and re-run go get:
$ rm go.sum
$ GO111MODULE=on go get -d
$ cat go.sum
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
I'll get one line less in go.sum file (gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=).
What did you expect to see?
I expected go.sum to be created in a consistent way, which would help with reproducible builds.
Having documentation around it would help manage expectations around the behavior of how go.sum is populated under different scenarios.
One reason that know this is useful is that it was mentioned that go.sum is "kinda like a lockfile" and one should commit it to the vcs. Because it gets populated differently under different scenarios it's not clear to me when should I commit it. After reading that go mod tidy ensures that dependecies for all possible OS/arch combos are preset it seems to me that ideally one should commit go.sum only after running go mod tidy, otherwise some commands might generate local changes in that file.
What did you see instead?
go.sum is created with different content depending on which dependencies from go.mod are imported.
The text was updated successfully, but these errors were encountered:
We should wait to document this until #25530 is resolved, since that will change when and how go.sum is populated.
In general, though, you can commit the go.sum file at any point: entries may be added or deleted as you run go mod tidy and various build/test commands, but the entry for a given version will not change.
go mod tidy should populate go.sum with an essentially complete set of entries.
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
1.11.4 is the latest release
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
This was noticed via renovatebot/renovate#3017, I didn't manage to find any details of what should be in
go.sum
.go get -d
populatesgo.sum
file with different content if a dependency present ingo.mod
is used or notDependency used
go.mod:
main.go
Running
go get
creates ago.sum
file:If I remove
import _ "gopkg.in/yaml.v2"
line frommain.go
so that it contains:Remove
go.sum
and re-rungo get
:I'll get one line less in
go.sum
file (gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
).What did you expect to see?
I expected
go.sum
to be created in a consistent way, which would help with reproducible builds.Having documentation around it would help manage expectations around the behavior of how
go.sum
is populated under different scenarios.One reason that know this is useful is that it was mentioned that
go.sum
is "kinda like a lockfile" and one should commit it to the vcs. Because it gets populated differently under different scenarios it's not clear to me when should I commit it. After reading thatgo mod tidy
ensures that dependecies for all possible OS/arch combos are preset it seems to me that ideally one should commitgo.sum
only after runninggo mod tidy
, otherwise some commands might generate local changes in that file.What did you see instead?
go.sum
is created with different content depending on which dependencies fromgo.mod
are imported.The text was updated successfully, but these errors were encountered: