Dear all, Having recently started programming in Go, I'm interested in how Debian packages libraries and applications written in the language.
It appears that the Debian CI/CD system installs all the currently packaged Go libraries into $GOPATH before building a new package, in this way being able to keep versions in sync between packages and facilitating reproducible builds. However, I would have thought that the go.sum and go.mod files that the Go compiler uses might cause problems here: - when an upstream project specifies a particular version of a dependency in go.mod, the Go compiler will attempt to download that specific version from the package's path - when Debian's versions of the libraries are used, the go.sum hash data would clearly not match and the Go compiler would refuse to complete the build There is an option to use the `-modfile` flag to `go build`, which allows you to provide alternative go.mod and go.sum files. Do you make use of this flag in the Debian CI/CD, or is there another technique to avoid these two problems? I spent last evening cruising between Salsa, tracker.debian.org and this mailing list, but the relevant part of the build system was proving elusive! I would very much appreciate some more information on this fascinating part of Debian. Best wishes, Sebastian
