On Mon, Jun 28, 2021, 09:33 josvazg wrote:
> I do agree with all that. All very good points indeed.
>
> What about prevention?
>
> It can happen that a project looks very active and trustworthy when you
> chose to depend on it. But later on, it decides to take on new dependencies
> that are less
I do agree with all that. All very good points indeed.
What about prevention?
It can happen that a project looks very active and trustworthy when you
chose to depend on it. But later on, it decides to take on new dependencies
that are less reliable, or starts being less and less maintained. If
If we're talking about an OSS project here, then having one of the
dependencies vanish is "just" a case of replacing that dependency in the
project. That is, it's part of normal project maintenance, in the same way
that if a severe security issue were discovered in a dependency, you'd have
to
Maybe the answer is something like:
- DO NOT vendor in OSS go library repos. Use go proxies, or at least, let
library consumers use go proxies with your library and do not force your
deps on them.
- Have the CLI/compilable repo do the vendoring.
- Even better, keep all your repos unvendored and
The problem with dependencies is that you can control what you depend on
directly, but not what those dependencies depend on.
I understand what you are basically saying is https://proxy.golang.org
should be safe as long as all your dependencies, including transitive ones,
have proper licenses.
On Fri, Jun 25, 2021 at 1:23 PM josvazg wrote:
> When working on internal company projects, it makes sense to use a company
> wide GO Proxy assuring that all go dependency code is available and
> immutable. But when you move to an Open Source project, you cannot longer
> use such private proxy.
>
When working on internal company projects, it makes sense to use a company
wide GO Proxy assuring that all go dependency code is available and
immutable. But when you move to an Open Source project, you cannot longer
use such private proxy.
I wonder what is the best practice recommendation for
