On Tue, Apr 10, 2018 at 6:41 AM, glob <g...@mozilla.com> wrote: >> You don't permit the use of a tag for vendoring, is that intentional? > > to echo gps and mike's responses use of a sha to is preferred over tags.
Maybe. We currently use tags. Think about the usage model. If the process is to author the YAML, then run a tool to vendor the identified code, the opportunity for mischief is small. It depends on whether you consider this to be defense against attack, or a user interface. I was thinking the latter. Presumably every change to the YAML would be reviewed and tested. I'm sure that users can be trained to run `git ls-remote`, but it would be better to consider the UX trade-offs at least a little. Simple fix: have the vendoring tool add the hash if a tag is specified. _______________________________________________ dev-platform mailing list email@example.com https://lists.mozilla.org/listinfo/dev-platform