Skip to content

x/vgo: create go.modverify by default #24116

New issue
New issue
Closed
Closed
x/vgo: create go.modverify by default#24116
Labels
FrozenDueToAge
Milestone
 
vgo
@FiloSottile

Description

@FiloSottile
FiloSottile
opened on Feb 25, 2018 · edited by FiloSottile

The security provided by go.modverify should not be opt-in.

I elaborated on why locking hashes into repositories is so important at https://groups.google.com/d/msg/golang-dev/MNQwgYHMEcY/Jl-piUJ_CgAJ

There is no reason we should encourage not using it, at least not until we have a solid story about alternative verification methods.

Activity

gopherbot
added this to the vgo milestone on Feb 25, 2018
FiloSottile
mentioned this on Feb 25, 2018
rsc

rsc commented on Mar 30, 2018

@rsc
rsc
on Mar 30, 2018
Contributor

As I wrote on #24117:

Not yet. We're fixing one thing at a time. The first thing to fix is management of versions at all. The second thing is verification. There's no need to do both at once. We've gotten by this long with "go get" with no modverify. Let's get versions into go first, and then turn our attention to verifying.

Especially if we do have a solid plan for alternate verification methods, there is no point to littering everyone's repos with go.modverify files that will not be necessary in the long run.

rsc
closed this as completedon Mar 30, 2018
golang
locked and limited conversation to collaborators on Mar 30, 2019
gopherbot
added
FrozenDueToAge
on Mar 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAge

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @rsc@FiloSottile@gopherbot

        Issue actions
          x/vgo: create go.modverify by default · Issue #24116 · golang/go