使用go mod供应商/下载时,go.sum有所不同 [英] go.sum are different when using go mod vendor/download
问题描述
我在go模块中使用命令 go mod vendor 和 go mod download 时遇到问题.
I have a problem with the usage of commands go mod vendor and go mod download in a go module.
当我使用 go mod vendor 时,生成的go.sum有多余的行.例如,当我使用 go mod download 时, go.sum 包含:
When I'm using go mod vendor, the generated go.sum has extra-lines. E.g, when I'm using go mod download, the go.sum contains:
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
但是,如果我删除 go.sum 并运行 go mod vendor ,我有2行:
However if I remove the go.sum and run go mod vendor, I have 2 lines:
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
这是有问题的,因为如果我在运行 go mod vendor 之后提交了 go.sum ,那么任何进一步的 go mod下载(可能是由于哈希值不匹配而导致安全问题,因此其他人或在CI中使用的密钥将无法正常工作.
This is problematic because if I commit the go.sum after running go mod vendor, any further go mod download (which may be used by someone else or in CI) will not work because of mismatching hashes which lead to a security issue.
使用 go mod供应商和 go mod下载时,我做错什么了吗?为什么它们会在 go.sum 中产生不同的哈希值?
Is there something I'm doing wrong in the usage of go mod vendor and go mod download? Why would they produce different hashes in the go.sum?
这是立即发生的错误:
verifying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@v0.1.0: checksum mismatch
downloaded: h1:tIKKCv/bUyBNvVsB6YLo0Ds9ZFdGJ0FKkFun22nwvCI=
go.sum: h1:qta5K5jjJg+TnsD76tcFK7Bjf402WP9MIbPsJGU11Ms=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
(注意:我用xxx替换了包裹名称,因为它带有我的公司名称)
(Note: I replaced the name of the package by xxx because it carries my company name)
推荐答案
go mod download 没有为下载的模块添加 go.sum 条目的事实可以说是有道理的一个错误,并将在即将发布的Go 1.16版本中修复(请参见 https://golang.org/issue/41341 ).
The fact that go mod download did not add go.sum entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341).
这篇关于使用go mod供应商/下载时,go.sum有所不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
