alt Hacker NewsA lock file, in my world, contains a cryptographic hash of dependencies. go.mod does not, it only lists tags, which are (in git) movable references.
If go.sum has "no observable effect on builds", you don't know what you're building and go can download and run unverified code.
I'm not a go developer and must be misunderstanding something...
Replies
JetSetIlly • last Thursday at 9:41 AM
By default, all go mod downloads go through the golang proxy (https://proxy.golang.org/). That is part of the verification process.
➕ show 2 replies
inglor • last Thursday at 9:23 AM
You are not misunderstanding anything, I use Go and Rust/TypeScript in my daily work and you are correct - it is the OP that does not understand why people use lockfiles in CI (to prevent minor updates and changes in upstream through verifying a hash signature).
➕ show 1 reply
> I'm not a go developer and must be misunderstanding something...
I think it's coz not EVERY language's lockfile comes with checksum
So, Go's go.mod is functionally equivalent Ruby Gem lockfile (that doesn't have checksum) but need to get go.sum to be equivalent to npm's (that does come with checksum)
Author just compared it to languages where lockfile means just version lock