why we still need lock file ?
145 views
Skip to first unread message
Akash Kumar
Jun 26, 2024, 2:58:22 AM (4 days ago) Jun 26
to golang-nuts
As go is using minimum version selection strategy for creating reproducible build list, so why we still need a lock file ? also is there plans to deprecate lock file in future ?
Ian Lance Taylor
Jun 26, 2024, 9:59:39 AM (4 days ago) Jun 26
to Akash Kumar, golang-nuts
On Tue, Jun 25, 2024 at 11:58 PM Akash Kumar <meaka...@gmail.com> wrote:
>
> As go is using minimum version selection strategy for creating reproducible build list, so why we still need a lock file ? also is there plans to deprecate lock file in future ?
What lock file are you talking about?
>
> As go is using minimum version selection strategy for creating reproducible build list, so why we still need a lock file ? also is there plans to deprecate lock file in future ?
Ian
ben...@gmail.com
Jun 26, 2024, 7:20:47 PM (3 days ago) Jun 26
to golang-nuts
It's a pretty good bet that Akash is asking about go.sum. Akash, the go.sum is not actually a "lock file" (like many other languages' package managers have). Just go.mod is enough to determine the exact versions of all the modules, as you indicate. What go.sum contains are cryptographic hashes of all the module contents, allowing the Go tooling to verify that what it downloads are the same bytes the package author downloaded. Often other languages store these hashes in their lock files, but Go Modules does things a bit differently.
See more about these hashes and go.sum: https://go.dev/ref/mod#authenticating
-Ben
Reply all
Reply to author
Forward
0 new messages