Stay Close Mod Download
To allow auto-downloads and updates, set your console to stay connected to the internet when in rest mode and install update files automatically. Enable automatic downloads and make sure to leave your console in rest mode when not in use.
Stay Close Mod Download
If a module might be depended on by other modules, these rules must be followedso that the go command can find and download the module. There are alsoseveral lexical restrictions on characters allowed inmodule paths.
For each entry in the GOPROXY list, the go command requests the latestversion of each module path that might provide the package (that is, each prefixof the package path). For each successfully requested module path, the gocommand will download the module at the latest version and check whether themodule contains the requested package. If one or more modules contain therequested package, the module with the longest path is used. If one or moremodules are found but none contain the requested package, an error isreported. If no modules are found, the go command tries the next entry in theGOPROXY list. If no entries are left, an error is reported.
If the module path appears in a require directive and is not replaced, orif the module paths appears on the right side of a replace directive,the go command may need to download modules with that path, and someadditional requirements must be satisfied.
retract directives may be written with either a single version (like v1.0.0)or with a closed interval of versions with an upper and lower bound, delimited by[ and ] (like [v1.1.0, v1.2.0]). A single version is equivalent to aninterval where the upper and lower bound are the same. Like other directives,multiple retract directives may be grouped together in a block delimited by( at the end of a line and ) on its own line.
Most go commands may run in Module-aware mode or GOPATH mode. Inmodule-aware mode, the go command uses go.mod files to find versioneddependencies, and it typically loads packages out of the modulecache, downloading modules if they are missing. In GOPATHmode, the go command ignores modules; it looks in vendordirectories and in GOPATH to find dependencies.
In module-aware mode, GOPATH no longer defines the meaning of imports during abuild, but it still stores downloaded dependencies (in GOPATH/pkg/mod; seeModule cache) and installed commands (in GOPATH/bin, unlessGOBIN is set).
When using modules, the go command typically satisfies dependencies bydownloading modules from their sources into the module cache, then loadingpackages from those downloaded copies. Vendoring may be used to allowinteroperation with older versions of Go, or to ensure that all files used for abuild are stored in a single file tree.
When vendoring is enabled, build commands like go build andgo test load packages from the vendor directory instead of accessing thenetwork or the local module cache. The go list -m command onlyprints information about modules listed in go.mod. go mod commands such asgo mod download and go mod tidy do notwork differently when vendoring is enabled and will still download modules andaccess the module cache. go get also does not work differently whenvendoring is enabled.
The go mod download command downloads the named modules into the modulecache. Arguments can be module paths or modulepatterns selecting dependencies of the main module or versionqueries of the form path@version. With no arguments,download applies to all dependencies of the main module.
The go command will automatically download modules as needed during ordinaryexecution. The go mod download command is useful mainly for pre-filling themodule cache or for loading data to be served by a moduleproxy.
When vendoring is enabled, the go command will load packages from the vendordirectory instead of downloading modules from their sources into the modulecache and using packages those downloaded copies. See Vendoringfor more information.
go mod verify checks that dependencies of the main modulestored in the module cache have not been modified sincethey were downloaded. To perform this check, go mod verify hashes eachdownloaded module .zip file and extracted directory, thencompares those hashes with a hash recorded when the module was firstdownloaded. go mod verify checks each module in the buildlist (which may be printed with go list -m all).
In contrast, go mod verify checks that module .zip files and their extracteddirectories have hashes that match hashes recorded in the module cache when theywere first downloaded. This is useful for detecting changes to files in themodule cache after a module has been downloaded and verified. go mod verifydoes not download content for modules not in the cache, and it does not usego.sum files to verify module content. However, go mod verify may downloadgo.mod files in order to perform minimal versionselection. It will use go.sum to verify thosefiles, and it may add go.sum entries for missing hashes.
The go command caches most content it downloads from module proxies in itsmodule cache in $GOPATH/pkg/mod/cache/download. Even when downloading directlyfrom version control systems, the go command synthesizes explicit info,mod, and zip files and stores them in this directory, the same as if it haddownloaded them directly from a proxy. The cache layout is the same as the proxyURL space, so serving $GOPATH/pkg/mod/cache/download at (or copying it to) would let users access cached module versions bysetting GOPROXY to
The go command may download module source code and metadata from a moduleproxy. The GOPROXY environmentvariable may be used to configure which proxies thego command may connect to and whether it may communicate directly withversion control systems. Downloaded module data is saved in the modulecache. The go command will only contact a proxy when itneeds information not already in the cache.
When the go command computes the build list, it loads the go.mod file foreach module in the module graph. If a go.mod file is notin the cache, the go command will download it from the proxy using a$module/@v/$version.mod request (where $module is the module path and$version is the version). These requests can be tested with a tool likecurl. For example, the command below downloads the go.mod file forgolang.org/x/mod at version v0.2.0:
In order to load a package, the go command needs the source code for themodule that provides it. Module source code is distributed in .zip files whichare extracted into the module cache. If a module .zip is not in the cache,the go command will download it using a $module/@v/$version.zip request.
Note that .mod and .zip requests are separate, even though go.mod filesare usually contained within .zip files. The go command may need to downloadgo.mod files for many different modules, and .mod files are much smallerthan .zip files. Additionally, if a Go project does not have a go.mod file,the proxy will serve a synthetic go.mod file that only contains a moduledirective. Synthetic go.mod files are generated by thego command when downloading from a version control system.
For example, suppose the go command is attempting to download the moduleexample.com/gopher at version v1.0.0. It sends a request to -get=1. The server responds with an HTML documentcontaining the tag:
To download specific modules from source repositories instead of a proxy, setthe GOPRIVATE or GONOPROXY environment variables. To configure the gocommand to download all modules directly from source repositories, set GOPROXYto direct. See Environment variables for moreinformation.
If the module path has a VCS qualifier (one of .bzr, .fossil, .git, .hg,.svn) at the end of a path component, the go command will use everything upto that path qualifier as the repository URL. For example, for the moduleexample.com/foo.git/bar, the go command downloads the repository atexample.com/foo.git using git, expecting to find the module in the barsubdirectory. The go command will guess the protocol to use based on theprotocols supported by the version control tool.
vcs is the version control system. It must be one of the tools listed in thetable below or the keyword mod, which instructs the go command to downloadthe module from the given URL using the GOPROXYprotocol. See Serving modules directly from aproxy for details.
After the repository URL is found, the go command will clone the repositoryinto the module cache. In general, the go command tries to avoid fetchingunneeded data from a repository. However, the actual commands used vary byversion control system and may change over time. For Git, the go command canlist most available versions without downloading commits. It will usually fetchcommits without downloading ancestor commits, but doing so is sometimesnecessary.
Once a tag is created, it should not be deleted or changed to a differentrevision. Versions are authenticated to ensure safe,repeatable builds. If a tag is modified, clients may see a security error whendownloading it. Even after a tag is deleted, its content may remainavailable on module proxies.
Once the go command has found the module root directory, it creates a .zipfile of the contents of the directory, then extracts the .zip file into themodule cache. See File path and size constraintsfor details on what files may be included in the .zip file. The contents ofthe .zip file are authenticated before extraction into themodule cache the same way they would be if the .zip file were downloaded froma proxy.
To balance the functionality and security concerns, the go command by defaultwill only use git and hg to download code from public servers. It will useany known version control system to download code from privateservers, defined as those hosting packages matching the GOPRIVATE environmentvariable. The rationale behind allowing only Git andMercurial is that these two systems have had the most attention to issues ofbeing run as clients of untrusted servers. In contrast, Bazaar, Fossil, andSubversion have primarily been used in trusted, authenticated environments andare not as well scrutinized as attack surfaces.