Go and Versioning: Reproducible, Verifiable, Verified Builds

I found myself getting lost among the various posts by rsc and the resulting HN discussions, I hope this helps someone else too.<p>All of the posts in this series on vgo are listed here: <a href="https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo" rel="nofollow">https:&#x2F;&#x2F;research.swtch.com&#x2F;vgo</a>. There will be at least one more, a FAQ on Friday.<p>And the most popular HN discussions about them (in chronological order):<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16421966" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16421966</a> (Go += Package Versioning)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16431299" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16431299</a> (Semantic Import Versioning)<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16433425" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=16433425</a> (Minimal Version Selection)

This addresses the biggest holdout I had so far: verifying that tagged releases don&#x27;t change from underneath you, by checking against a Certificate Transparency-like local log of all encountered module versions and their hash.<p>As I understand it, go verify checks the local go.modverify file against all transitive dependencies. It might be valuable to also check those against the dependencies&#x27; go.modverify files as well (if present), to make sure everyone is on the same page on what each version represents.