|
|
|
|
|
|
by amtamt
1539 days ago
|
|
|
Perhaps "A module may have a text file named go.sum in its root directory, alongside its go.mod file. The go.sum file contains cryptographic hashes of the module’s direct and indirect dependencies." And "If the go.sum file is not present, or if it doesn’t contain a hash for the downloaded file, the go command may verify the hash using the checksum database, a global source of hashes for publicly available modules." Should be stressed on. If I committed a dependency version (go.mod) and checksum (go.sum) along with the code, either I get a repeatable build everywhere, or build fails if dependency not found or found to be modified. I am not sure if all other package managers include checksum with dependency version. |
|
|
If we're talking about reproducible builds, the word "may" seems concerning here?