I found myself getting lost among the various posts by rsc and the resulting HN discussions, I hope this helps someone else too.<p>All of the posts in this series on vgo are listed here: <a href="https://research.swtch.com/vgo" rel="nofollow">https://research.swtch.com/vgo</a>.
There will be at least one more, a FAQ on Friday.<p>And the most popular HN discussions about them (in chronological order):<p><a href="https://news.ycombinator.com/item?id=16421966" rel="nofollow">https://news.ycombinator.com/item?id=16421966</a> (Go += Package Versioning)<p><a href="https://news.ycombinator.com/item?id=16431299" rel="nofollow">https://news.ycombinator.com/item?id=16431299</a> (Semantic Import Versioning)<p><a href="https://news.ycombinator.com/item?id=16433425" rel="nofollow">https://news.ycombinator.com/item?id=16433425</a> (Minimal Version Selection)
This addresses the biggest holdout I had so far: verifying that tagged releases don't change from underneath you, by checking against a Certificate Transparency-like local log of all encountered module versions and their hash.<p>As I understand it, go verify checks the local go.modverify file against all transitive dependencies. It might be valuable to also check those against the dependencies' go.modverify files as well (if present), to make sure everyone is on the same page on what each version represents.