What happens if the hash retrieved from sumdb and the one in go.sum file of the main module are different?

[T L]

.

[Ian Lance Taylor]

The go tool reports a checksum mismatch error.

Ian

[T L]

On Wednesday, September 11, 2019 at 5:33:02 PM UTC-4, Ian Lance Taylor wrote:

The go tool reports a checksum mismatch error.

Ian

"go help module-auth" says

If a downloaded module is not yet included in go.sum and it is a publicly
available module, the go command consults the Go checksum database to fetch
the expected go.sum lines.

and ""go help modules" says

No matter the source of the modules, the go command checks downloads against
known checksums, to detect unexpected changes in the content of any specific
module version from one day to the next. This check first consults the current
module's go.sum file but falls back to the Go checksum database, controlled by
the GOSUMDB and GONOSUMDB environment variables. See 'go help module-auth'
for details.

By these explanations, is my following understanding correct?

1. when I "git clone" a Go program project which contains a go.mod and a go.sum file.

   then sumdb will not be connected if I run "go build" under the project.

2. when I "go get" a package under my modules based project,

   sumdb will be connected to fetch the hash of the dependency package,

   if the fetch result and local cached dependency hash matches,

   then two hash lines will be added the go.sum file of my project,

  

   if the dependency package is also modules based, in other words,

   it has its own go.mod and go.sum files, the hashes of the dependency packages

   of the dependency package will not be fetched from sumdb.

[T L]

Here, for the case of the dependency module is also modules based,

will the hash lines in the go.sum file in the dependency module be copied directly

into the go.sum file of the man project module? Instead of fetching them from sumdb.