On Mon, 12 Apr 2021 at 13:47, Juergen Landwehr <juergen.landwehr@gmx.de>
wrote:

> But dependency management in go is not that arbitrary as it may seem.
> Dependencies and their version is stored in "go.mod". To ensure
> reproducable builds, hashes for each dependency and version are stored in
> "go.sum". Both files are in git and together with a local golang proxy,
> this should ensure reproducable builds, right?
>

Reproducibility means anyone can run a build at any point in the future
even if the upstream repositories are gone, so all inputs must be stored in
a local download cache, which is the other thing SRC_URI guarantees, in
addition to verifying integrity of the inputs.

Alex