Skip to content

cmd/go: document different ways go.sum is populated #29492

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prymitive opened this issue Jan 1, 2019 · 3 comments
Open

cmd/go: document different ways go.sum is populated #29492

prymitive opened this issue Jan 1, 2019 · 3 comments
Labels
Documentation Issues describing a change to documentation. GoCommand cmd/go WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Milestone
Backlog

Comments

@prymitive
Copy link

prymitive commented Jan 1, 2019
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.11.4 darwin/amd64

Does this issue reproduce with the latest release?

1.11.4 is the latest release

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/lukasz/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/lukasz/Go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/qs/6r1dd8md22bggtghnmmhlf9m0000gn/T/go-build246619765=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

This was noticed via renovatebot/renovate#3017, I didn't manage to find any details of what should be in go.sum.
go get -d populates go.sum file with different content if a dependency present in go.mod is used or not

Dependency used

go.mod:

module github.com/prymitive/test

require gopkg.in/yaml.v2 v2.2.2

main.go

package main

import _ "gopkg.in/yaml.v2"

func main() {}

Running go get creates a go.sum file:

$ GO111MODULE=on go get -d
$ cat go.sum
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

If I remove import _ "gopkg.in/yaml.v2" line from main.go so that it contains:

package main

func main() {}

Remove go.sum and re-run go get:

$ rm go.sum
$ GO111MODULE=on go get -d
$ cat go.sum
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

I'll get one line less in go.sum file (gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=).

What did you expect to see?

I expected go.sum to be created in a consistent way, which would help with reproducible builds.
Having documentation around it would help manage expectations around the behavior of how go.sum is populated under different scenarios.
One reason that know this is useful is that it was mentioned that go.sum is "kinda like a lockfile" and one should commit it to the vcs. Because it gets populated differently under different scenarios it's not clear to me when should I commit it. After reading that go mod tidy ensures that dependecies for all possible OS/arch combos are preset it seems to me that ideally one should commit go.sum only after running go mod tidy, otherwise some commands might generate local changes in that file.

What did you see instead?

go.sum is created with different content depending on which dependencies from go.mod are imported.
@gopherbot gopherbot added the Documentation Issues describing a change to documentation. label Jan 1, 2019
@prymitive prymitive mentioned this issue Jan 1, 2019
Closed
@agnivade
Copy link
Contributor

/cc @bcmills

@bcmills bcmills changed the title Document different ways go.sum is populated cmd/go: document different ways go.sum is populated Feb 25, 2019
@bcmills
Copy link
Contributor

bcmills commented Mar 14, 2019

We should wait to document this until #25530 is resolved, since that will change when and how go.sum is populated.

In general, though, you can commit the go.sum file at any point: entries may be added or deleted as you run go mod tidy and various build/test commands, but the entry for a given version will not change.

go mod tidy should populate go.sum with an essentially complete set of entries.

@bcmills bcmills added the NeedsFix The path to resolution is known, but the work has not been done. label Mar 14, 2019
@bcmills bcmills added this to the Go1.13 milestone Mar 14, 2019
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@rsc rsc modified the milestones: Go1.14, Backlog Oct 9, 2019
@pikapika2020 pikapika2020 mentioned this issue Apr 29, 2020
Merged
@gabyhelp gabyhelp mentioned this issue Nov 14, 2024
Closed
@seankhliao seankhliao added the GoCommand cmd/go label Feb 22, 2025
@matloob
Copy link
Contributor

matloob commented Mar 27, 2025

Could you provide more information about what would be useful to document?

@matloob matloob added WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided. and removed NeedsFix The path to resolution is known, but the work has not been done. labels Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Documentation Issues describing a change to documentation. GoCommand cmd/go WaitingForInfo Issue is not actionable because of missing required information, which needs to be provided.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
8 participants
@rsc @prymitive @andybons @agnivade @bcmills @gopherbot @seankhliao @matloob