使用go mod供应商/下载时,go.sum有所不同 [英] go.sum are different when using go mod vendor/download
问题描述
我在go模块中使用命令 go mod vendor
和 go mod download
时遇到问题.
I have a problem with the usage of commands go mod vendor
and go mod download
in a go module.
当我使用 go mod vendor
时,生成的go.sum有多余的行.例如,当我使用 go mod download
时, go.sum
包含:
When I'm using go mod vendor
, the generated go.sum has extra-lines. E.g, when I'm using go mod download
, the go.sum
contains:
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
但是,如果我删除 go.sum
并运行 go mod vendor
,我有2行:
However if I remove the go.sum
and run go mod vendor
, I have 2 lines:
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
这是有问题的,因为如果我在运行 go mod vendor
之后提交了 go.sum
,那么任何进一步的 go mod下载
(可能是由于哈希值不匹配而导致安全问题,因此其他人或在CI中使用的密钥将无法正常工作.
This is problematic because if I commit the go.sum
after running go mod vendor
, any further go mod download
(which may be used by someone else or in CI) will not work because of mismatching hashes which lead to a security issue.
使用 go mod供应商
和 go mod下载
时,我做错什么了吗?为什么它们会在 go.sum
中产生不同的哈希值?
Is there something I'm doing wrong in the usage of go mod vendor
and go mod download
? Why would they produce different hashes in the go.sum
?
这是立即发生的错误:
verifying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@v0.1.0: checksum mismatch
downloaded: h1:tIKKCv/bUyBNvVsB6YLo0Ds9ZFdGJ0FKkFun22nwvCI=
go.sum: h1:qta5K5jjJg+TnsD76tcFK7Bjf402WP9MIbPsJGU11Ms=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
(注意:我用xxx替换了包裹名称,因为它带有我的公司名称)
(Note: I replaced the name of the package by xxx because it carries my company name)
推荐答案
go mod download
没有为下载的模块添加 go.sum
条目的事实可以说是有道理的一个错误,并将在即将发布的Go 1.16版本中修复(请参见 https://golang.org/issue/41341 ).
The fact that go mod download
did not add go.sum
entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341).
这篇关于使用go mod供应商/下载时,go.sum有所不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!