Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should go.sum file be checked in to the git repository?

Tags:

go

I have a program with source code hosted on GitHub that uses Go Modules introduced in go 1.11.

go.mod file describes my dependencies, but go.sum file seems to be a lockfile. Should I be adding go.sum to my repository or should I gitignore it?

like image 847
ahmet alp balkan Avatar asked Dec 18 '18 17:12

ahmet alp balkan


People also ask

What is go sum file for?

go. sum is a generated file you don't have to edit or modify this file. Now the go.mod has added all the modules with the version in “require” node, a sample go.mod file looks something like this: A sample go.mod file. “module” implies the url maintained for version control i.e module declaration.

What are go mod and sum files?

sum file may contain hashes for multiple versions of a module. The go command may need to load go. mod files from multiple versions of a dependency in order to perform minimal version selection. go. sum may also contain hashes for module versions that aren't needed anymore (for example, after an upgrade).

What is go mod file?

The go. mod file defines the module's module path, which is also the import path used for the root directory, and its dependency requirements, which are the other modules needed for a successful build. Each dependency requirement is written as a module path and a specific semantic version.

How does go mod vendor work?

The go mod vendor command constructs a directory named vendor in the main module's root directory that contains copies of all packages needed to support builds and tests of packages in the main module. Packages that are only imported by tests of packages outside the main module are not included.


2 Answers

https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions:

Ensure your go.sum file is committed along with your go.mod file.

like image 176
Adrian Avatar answered Sep 16 '22 15:09

Adrian


(Building on a previous answer.)

Yes, commit go.sum.

Ensure your go.sum file is committed along with your go.mod file. See FAQ below for more details and rationale.

From the FAQ:

Should I commit my 'go.sum' file as well as my 'go.mod' file?

Typically your module's go.sum file should be committed along with your go.mod file.

  • go.sum contains the expected cryptographic checksums of the content of specific module versions.
  • If someone clones your repository and downloads your dependencies using the go command, they will receive an error if there is any mismatch between their downloaded copies of your dependencies and the corresponding entries in your go.sum.
  • In addition, go mod verify checks that the on-disk cached copies of module downloads still match the entries in go.sum.
  • Note that go.sum is not a lock file as used in some alternative dependency management systems. (go.mod provides enough information for reproducible builds).
  • See very brief rationale here from Filippo Valsorda on why you should check in your go.sum. See the "Module downloading and verification" section of the tip documentation for more details. See possible future extensions being discussed for example in #24117 and #25530.
like image 24
Jon Avatar answered Sep 19 '22 15:09

Jon