go mod verify is extremely useful for validating the integrity of modules in the local cache.
It would be great if projects that choose to vendor their modules (then presumably building with go build -mod vendor ...) had a similar command to verify the integrity of modules in that directory.
This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.
krancour
All 7 comments
This is still on our radar, but probably not happening for 1.13. (We have a lot to do this cycle!)
I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.
bcmills
on 15 Feb 2019
I'm hoping to get to it in 1.14, but we don't have a 1.14 milestone defined yet.
@bcmills is there an update on this? Switching from dep to go mod means losing the ability to verify vendored dependencies before performing builds, etc, which is a big concern.
sgreene570
on 2 Jan 2020
@sgreene570, note that in the interim you can simply re-run go mod vendor and check for diffs.
Verifying the checksums of the vendored modules requires the full module content (because that is what is checksummed), so either way you're going to have to download the full module into the local module cache.
bcmills
on 10 Jan 2020
This functionality would also be useful for #36852.
bcmills
on 31 Jan 2020
@jayconrod, @matloob: I think we should aim to get this implemented for 1.15.
bcmills
on 31 Jan 2020
Do you still hope to get this into 1.15?
ianlancetaylor
on 19 May 2020
No, it's definitely not happening for 1.15.
bcmills
on 19 May 2020
Related issues
rakyll
路
3Comments
dominikh
路
3Comments
ashb
路
3Comments
ajstarks
路
3Comments
gopherbot
路
3Comments
Most helpful comment
@jayconrod, @matloob: I think we should aim to get this implemented for 1.15.