Why do go module versions sometimes need 2 lines in go.sum - McMap

About

Why do go module versions sometimes need 2 lines in go.sum

Asked 3/9, 2020 at 10:41 Answered 24/6, 2021 at 20:30

M

1

8

Why do individual module versions sometimes need 2 lines in go.sum?

one line is just for the module version (v0.1.1 in the example below)
one line also has /go.mod tacked onto the version (v0.1.1/go/mod in the example below).

For example:

github.com/foo/bar v0.1.1 h1:kDgnGXZpvZUi7ym6Rm23yVn3gRqBag+vU6M/wytZR9c=
github.com/foo/bar v0.1.1/go.mod h1:MZcarCLffCxoj/EF1yhRb4HvOSmCkm5Z8FPmzWrMG+g=

The reason I ask is because sometimes when I go get a package, an indirect dependency will be generated in go.sum with only the second line from the example above, and then the build will fail with 410 gone for that package@version. However if I manually go get the indirect dependency, the build no longer fails with 410 gone.

I believe this only happens with private repositories, so I understand it will not play well with sum.golang.org. However, I'd like to figure out if it's possible to avoid getting the 410 in the first place, especially with regards to automated module updates, etc.

Moiety answered 3/9, 2020 at 10:41 Comment(4)

Read the go.sum section in golang.org/ref/mod#authenticating. the v0.1.1/go.mod is the hash for the go.mod file itself while the other is for the "source code". The problem you see has nothing to do with two lines being present. – Siobhansion 3/9, 2020 at 11:18

Thanks for the reply @Volker. Sorry that my question was unclear. I understand the difference between the two lines. But I don't understand why go get will get insufficient information to build indirect dependencies, yet if I go get the indirect dependency directly, it will get sufficient information to perform the build. Interestingly enough, even if not directly caused by one line being present, the problem is indeed solved by the two lines being present, hence the phrasing of my question. – Moiety 3/9, 2020 at 12:29

go get will get the latest version by default, which may be different from the one required by your dependency. We can't really help you without seeing the exact commands that fail. – Ironbound 3/9, 2020 at 12:56

This may be a bug in the go command. If you still see it with go1.16rc1, please open a new issue (with steps to reproduce) at golang.org/issue/new. – Bullfinch 12/2, 2021 at 21:14

B

5

The v0.1.1/go.mod entry contains the checksum for the go.mod file in isolation. That is needed to ensure consistency any time you are loading or changing dependencies.

The v0.1.1 entry (without the /go.mod suffix) contains the checksum for the full source code of the module, including all of the .go source files for the packages within it.

The two parts are downloaded separately so that you don't need to download the full source code for dependencies that you don't intend to build or test (a fairly common situation for projects with casual contributors). But because the go command downloads them separately, it needs separate checksums for them.

Bullfinch answered 24/6, 2021 at 20:30 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.