Most times when writing software, you use other software or as we call them “dependencies.” In golang, we may call that a collection of go packages. That collection of go packages is outlined in a file called go.mod.

module ( v1.13.3 // v0.5.0 // v0.0.0-20191202143827-86a70503ff7e // v0.0.0-20191125180803-fdd1cda4f05f // v0.0.0-20191126235420-ef20fe5d7933 // v0.0.0-20191128015809-6d18c012aee9 // v0.0.0-20191024005414-555d28b269f0 // v0.0.0-20191202203127-2b6af5f9ace7 // v0.0.0-20191115221424-83cc0476cb11 // v2.4.0 // v2.2.7 // indirect)
go 1.13

The above is an example of a go.mod. You can also list the current module and its dependencies like such:

$ go list -m all v0.0.0-20170915032832-14c0d48ead0c v1.5.2 v1.3.0

The go command tries to authenticate every downloaded module, checking that the bits downloaded for a specific module version today match bits downloaded yesterday. This ensures repeatable builds and detects introduction of unexpected changes, malicious or not.

In each module’s root, alongside go.mod, the go command maintains a file named go.sum containing the cryptographic checksums of the module’s dependencies.

The form of each line is in go.sum is three fields:

<module> <version>[/go.mod] <hash>

The go command maintains a cache of downloaded packages and computes and records the cryptographic checksum of each package at download time. In normal operation, the go command checks the main module’s go.sum file against these precomputed checksums instead of recomputing them on each command invocation.

$ cat go.sum v0.0.0-20170915032832-14c0d48ead0c h1:qgOY6WgZO... v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:Nq... v1.5.2 h1:w5fcysjrx7yqtD/aO+QwRjYZOKnaM9Uh2b40tElTs3... v1.5.2/go.mod h1:LzX7hefJvL54yjefDEDHNONDjII0t9xZLPX... v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/Q... v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9...

disscepolo della sperientia