On Tue, Apr 10, 2018 at 6:41 AM, glob <g...@mozilla.com> wrote:
>> You don't permit the use of a tag for vendoring, is that intentional?
> to echo gps and mike's responses use of a sha to is preferred over tags.

Maybe.  We currently use tags.

Think about the usage model.  If the process is to author the YAML,
then run a tool to vendor the identified code, the opportunity for
mischief is small.  It depends on whether you consider this to be
defense against attack, or a user interface.  I was thinking the
latter.  Presumably every change to the YAML would be reviewed and

I'm sure that users can be trained to run `git ls-remote`, but it
would be better to consider the UX trade-offs at least a little.
Simple fix: have the vendoring tool add the hash if a tag is
dev-platform mailing list

Reply via email to