Most times when writing software, you use other software or as we call them “dependencies.” In golang, we may call that a collection of go packages. That collection of go packages is outlined in a file called go.mod.

module example.com/hellorequire (github.com/aws/aws-lambda-go v1.13.3 // indirectgithub.com/aws/aws-sdk-go v1.25.45github.com/bitly/go-simplejson v0.5.0 // indirectgithub.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869golang.org/x/crypto v0.0.0-20191202143827-86a70503ff7e // indirectgolang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f // indirectgolang.org/x/net v0.0.0-20191126235420-ef20fe5d7933 // indirectgolang.org/x/sys v0.0.0-20191128015809-6d18c012aee9 // indirectgolang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirectgolang.org/x/tools v0.0.0-20191202203127-2b6af5f9ace7 // indirectgoogle.golang.org/genproto v0.0.0-20191115221424-83cc0476cb11 // indirectgoogle.golang.org/grpc v1.28.0gopkg.in/square/go-jose.v2 v2.4.0 // indirectgopkg.in/yaml.v2 v2.2.7 // indirect)
go 1.13

The above is an example of a go.mod. You can also list the current module and its dependencies like such:

$ go list -m all
example.com/hello
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c
rsc.io/quote v1.5.2
rsc.io/sampler v1.3.0

The go command tries to authenticate every downloaded module, checking that the bits downloaded for a specific module version today match bits downloaded yesterday. This ensures repeatable builds and detects introduction of unexpected changes, malicious or not.

In each module’s root, alongside go.mod, the go command maintains a file named go.sum containing the cryptographic checksums of the module’s dependencies.

The form of each line is in go.sum is three fields:

<module> <version>[/go.mod] <hash>

The go command maintains a cache of downloaded packages and computes and records the cryptographic checksum of each package at download time. In normal operation, the go command checks the main module’s go.sum file against these precomputed checksums instead of recomputing them on each command invocation.

$ cat go.sum
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c h1:qgOY6WgZO...
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:Nq...
rsc.io/quote v1.5.2 h1:w5fcysjrx7yqtD/aO+QwRjYZOKnaM9Uh2b40tElTs3...
rsc.io/quote v1.5.2/go.mod h1:LzX7hefJvL54yjefDEDHNONDjII0t9xZLPX...
rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/Q...
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9...

disscepolo della sperientia