January 7, 2026

Mod Squad vs Sum Stans

Article URL →HN comments →

go.sum Is Not a Lockfile

Go programmers bicker: stop reading go.sum—the real map is go.mod

TLDR: Author says go.sum only verifies downloads and doesn’t lock versions; go.mod is the source of truth. Comments split between cheering the security clarifications, roasting GitHub’s tooling for relying on go.sum, and arguing that Go’s “minimum version” rules still let versions drift—making this key to build trust and clarity.

The post drops a grenade: go.sum isn’t a lockfile, it’s just a local list of cryptographic checks to make sure downloads match. The author insists it has zero say over which versions you get; that’s all in go.mod. Cue the comment section melting down. Half the crowd cheers the clarity, half starts clutching their “lockfile” pearls.

Security fans like anishgupta applaud, noting that if upstream code gets tampered, go.sum makes the build fail loudly—which is exactly the point. Skeptics like wereHamster bristle: if go.sum doesn’t affect builds, “do we even know what we’re running?” Meanwhile, confused onlookers ask why other ecosystems worship lockfiles while Go shrugs.

The biggest popcorn moment: peterldowns calls out that GitHub’s setup-go action still leans on go.sum, linking a longstanding issue and hoping this PSA nudges an update (issue 478). Then the pedants arrive: Groxx and djha-skin argue that go.mod pins minimum versions, so newer versions can sneak in via other dependencies. Suddenly it’s the Mod Squad vs. Sum Stans, “lockfile truthers,” and memes about CI tools “living in 2019.” For civilians: manifest files list allowed versions, lockfiles freeze exact ones; in Go, go.mod does both, while go.sum just verifies the content you got. Simple idea, spicy discourse.

Key Points

  • go.sum is not a lockfile and has no effect on version resolution; it is a local cache of cryptographic hashes from the Go Checksum Database.
  • go.mod is the authoritative source for dependency versions and, since Go 1.17, includes all direct and transitive dependencies needed for builds and tests.
  • Dependency analysis should target go.mod, which can be parsed via golang.org/x/mod/modfile, go mod edit -json, or by spec.
  • In Go, go.mod functions as both manifest and lockfile, enforcing exact build versions, assuming semantic versioning, and treating major versions as separate modules.
  • Go commands honor the -mod flag: go mod tidy and go get default to mod (allow updates), while other commands default to readonly (no updates).

Hottest takes

"the checksum in go.sum will cause the build to fail unless the exact same content is fetched." — anishgupta
"the default actions/setup-go github action still uses go.sum instead." — peterldowns
"If go.sum has "no observable effect on builds", you don't know what you're building" — wereHamster

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.