Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
To quote the “Releasing Modules (All Version)” section of the Go Modules
wiki page [1]:
Ensure your go.sum file is committed along with your go.mod file.
See FAQ below [2] for more details and rationale.
And the “Should I commit my 'go.sum' file as well as my 'go.mod' file?”
section from the same page [2]:
Typically your module's go.sum file should be committed along with your
go.mod file.
- go.sum contains the expected cryptographic checksums of the
content of specific module versions.
- If someone clones your repository and downloads your
dependencies using the go command, they will receive an error if
there is any mismatch between their downloaded copies of your
dependencies and the corresponding entries in your go.sum.
- In addition, go mod verify checks that the on-disk cached copies
of module downloads still match the entries in go.sum.
- Note that go.sum is not a lock file as used in some alternative
dependency management systems. (go.mod provides enough
information for reproducible builds).
- See very brief rationale here [3] from Filippo Valsorda on why
you should check in your go.sum. See the "Module downloading and
verification" [4] section of the tip documentation for more
details. See possible future extensions being discussed for
example in golang/go#24117 and golang/go#25530.”
[1] https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions
[2] https://github.com/golang/go/wiki/Modules#should-i-commit-my-gosum-file-as-well-as-my-gomod-file
[3] https://twitter.com/FiloSottile/status/1029404663358087173
[4] https://tip.golang.org/cmd/go/#hdr-Module_downloading_and_verification- Loading branch information