[英]go.sum are different when using go mod vendor/download
I have a problem with the usage of commands go mod vendor
and go mod download
in a go module.我在 go 模块中使用命令go mod vendor
和go mod download
时遇到问题。
When I'm using go mod vendor
, the generated go.sum has extra-lines.当我使用go mod vendor
时,生成的 go.sum 有额外的行。 Eg, when I'm using go mod download
, the go.sum
contains:例如,当我使用go mod download
时, go.sum
包含:
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
However if I remove the go.sum
and run go mod vendor
, I have 2 lines:但是,如果我删除go.sum
并运行go mod vendor
,我有 2 行:
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
This is problematic because if I commit the go.sum
after running go mod vendor
, any further go mod download
(which may be used by someone else or in CI) will not work because of mismatching hashes which lead to a security issue.这是有问题的,因为如果我在运行go mod vendor
之后提交go.sum
,那么任何进一步go mod download
(可能会被其他人使用不匹配的哈希值或导致安全问题)
Is there something I'm doing wrong in the usage of go mod vendor
and go mod download
?在使用go mod vendor
和go mod download
时我做错了什么吗? Why would they produce different hashes in the go.sum
?为什么他们会在go.sum
中产生不同的哈希?
Here is the kind of error which instantly happens:这是立即发生的错误:
verifying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@v0.1.0: checksum mismatch
downloaded: h1:tIKKCv/bUyBNvVsB6YLo0Ds9ZFdGJ0FKkFun22nwvCI=
go.sum: h1:qta5K5jjJg+TnsD76tcFK7Bjf402WP9MIbPsJGU11Ms=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
(Note: I replaced the name of the package by xxx because it carries my company name) (注:我把 package 的名称换成了 xxx,因为它带有我的公司名称)
The fact that go mod download
did not add go.sum
entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341 ). The fact that go mod download
did not add go.sum
entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341 ).
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.