go: cmd/go: build with vendor depends on modcache for checksums

What version of Go are you using (go version)?

$ go version
go version devel go1.17-e4615ad Wed May 26 13:25:43 2021 +0000 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/arccy/.cache/go-build"
GOENV="/home/arccy/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/tmp/gomodcache.f4Wp"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/arccy/.data/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/home/arccy/sdk/gotip"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/home/arccy/sdk/gotip/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="devel go1.17-e4615ad Wed May 26 13:25:43 2021 +0000"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/arccy/tmp/trivy-mod-parse/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3032020717=/tmp/go-build -gno-record-gcc-switches"

What did you do?

build a module with a vendor dir. Whether or not the module sums are embedded depends on the module cache

$ export GOMODCACHE=$(mktemp -d -t gomodcache.XXXX)

$ go build -mod=vendor
$ go version -m trivy-mod-parse
trivy-mod-parse: devel go1.17-e4615ad Wed May 26 13:25:43 2021 +0000
	path	github.com/ebati/trivy-mod-parse
	mod	github.com/ebati/trivy-mod-parse	(devel)	
	dep	github.com/davecgh/go-spew	v1.1.1	
	dep	github.com/go-sql-driver/mysql	v0.0.0-00010101000000-000000000000
	=>	github.com/go-sql-driver/mysql	v1.5.0	

$ go mod tidy
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/go-sql-driver/mysql v1.5.0

$ go build -mod=vendor
$ go version -m trivy-mod-parse
trivy-mod-parse: devel go1.17-e4615ad Wed May 26 13:25:43 2021 +0000
	path	github.com/ebati/trivy-mod-parse
	mod	github.com/ebati/trivy-mod-parse	(devel)	
	dep	github.com/davecgh/go-spew	v1.1.1	h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
	dep	github.com/go-sql-driver/mysql	v0.0.0-00010101000000-000000000000
	=>	github.com/go-sql-driver/mysql	v1.5.0	h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=

What did you expect to see?

build output not affected by module cache contents

What did you see instead?

checksums only embedded when module cache is populated

cc @bcmills @jayconrod @matloob

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 5
  • Comments: 16 (7 by maintainers)

Most upvoted comments

Probably for now when we are building with -mod=vendor we should embed the module information (from vendor/modules.txt) but not the checksum information (because we don’t in general know that the vendor directory still matches the checksums).

+1
bcmills on Oct 28, 2022
Read more comments on GitHub
← go: cmd/go: build inside a Windows container does not find the sources in mounted volume
go: cmd/go: '"bzr": executable file not found in $PATH' when fetching github.com/influxdata/platform →