It's a pretty good bet that Akash is asking about go.sum. Akash, the go.sum is not actually a "lock file" (like many other languages' package managers have). Just go.mod is enough to determine the exact versions of all the modules, as you indicate. What go.sum contains are cryptographic hashes of all the module contents, allowing the Go tooling to verify that what it downloads are the same bytes the package author downloaded. Often other languages store these hashes in their lock files, but Go Modules does things a bit differently.
See more about these hashes and go.sum: https://go.dev/ref/mod#authenticating -Ben On Thursday, June 27, 2024 at 1:59:39 AM UTC+12 Ian Lance Taylor wrote: > On Tue, Jun 25, 2024 at 11:58 PM Akash Kumar <meaka...@gmail.com> wrote: > > > > As go is using minimum version selection strategy for creating > reproducible build list, so why we still need a lock file ? also is there > plans to deprecate lock file in future ? > > What lock file are you talking about? > > Ian > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/f124ad37-ffd5-4a98-bd07-24978f57a32an%40googlegroups.com.
