Thank you for your answer. Issue is that it really is not much control with this approach.
Any developer could potentially pull any package, avoid license review and just commit it to their project. So there is no central point of control that can limit which libraries (exactly down to particular versions) can be used by projects within a company. Also, having to commit external dependencies with your own project code seems very clunky to me, especially in comparison to what developers are used to coming from other languages. I doubt we would get much excitement from development teams if they were faced with such a requirement. It's an obvious gap compared to how elegantly (overall) the Java ecosystem has solved this problem. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.