On Monday, March 11, 2019 at 10:01:04 AM UTC-7, Manlio Perillo wrote: > > Do you perhaps have the same requirements as in the thread > https://groups.google.com/forum/#!topic/golang-dev/DD88cds-LuI > as reported by Nicolas Mailhot? > > That is, you need to patch the upstream source but keep the same version, > because you can't (or don't want to) update all the versions of the > required modules. > > Not precisely. In my case, I'm doing the build in two stages a) fetch dependencies and make sure they pass the hash and b) use (a) to build the module. I can add patches to the stage (a) to patch dependencies, but obviously, it does need some patching work due to the path of the dependency itself. I'm not too worried about patching at this time as I'm more worried about packaging instead.
> In this case vendoring is, IMHO, currently the only solution, because the > go tool ignores the go.sum files in this case. > You can try to open a bug report about the incorrect behavior of `go mod > vendor` when using cgo. > > Or you can patch cmd/go. However instead of writing a patch specific to > Nix, I suggest to write a more generic patch. > > You can add a new module download mode, e.g. `-mod trust` to instruct > cmd/go to not check go.sum. > The future notary can be disabled with GONOVERIFY, so its not a problem. > Maybe you can use GONOVERIFY to decide if the checksum should be ignored. > > Finally, you can try to coordinate with other package managers, since this > seems to be a shared problem. > > Here is a patch. It seems to work but one the Go test fails, and it > should probably be updated: > https://gist.github.com/perillo/813b52dcff8824da3a2859828961d08b > > An alternative is to check for trust mode in the initGoSum function: > https://gist.github.com/perillo/1b3d3216c59f689e52ee7357d2a99136 > > Finally the last alternative is to check for trust mode in the checkGoMod > function, but this will also disable the notary. Maybe it is the correct > thing to do: > https://gist.github.com/perillo/59f3be87dd2b64d7d734c74d1f344cd5 > > None of these patches seems to work if I remove the entire $GOPATH/pkg/mod/cache directory. Again, I'm removing this entire directory because of both $GOPATH/pkg/mod/cache/vcs and $GOPATH/pkg/mod/cache/download seem to change whenever upstream has changed even though go.mod/go.sum are still on the same commit. I do agree with you, however, that the correct solution is to rely on vendoring instead of patching the module support. I will report a bug in vendoring with regards to cgo. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
