top | item 46539022

(no title)

inglor | 1 month ago

You are not misunderstanding anything, I use Go and Rust/TypeScript in my daily work and you are correct - it is the OP that does not understand why people use lockfiles in CI (to prevent minor updates and changes in upstream through verifying a hash signature).

discuss

alias_neo|1 month ago

I would hazard a guess that the (former) head of the Go security team at Google (OP) _does_ in fact understand.

kibwen|1 month ago

They may be an expert in Go, but from their writing they appear to be misunderstanding (or at least misrepresenting) how things work in other languages. See the previous discussion here: https://lobste.rs/s/exv2eq/go_sum_is_not_lockfile