On Tue, 2022-01-18 at 15:00 +0100, Stefan Herbrechtsmeier wrote: > Am 18.01.2022 um 14:40 schrieb Richard Purdie: > > On Tue, 2022-01-18 at 14:00 +0100, Stefan Herbrechtsmeier wrote: > > > In summary we use a language specific lock file based approach which > > > support offline build, license checks and CVE scans and leaves the > > > dependency management and fixing outside of OE to limit the recipe count > > > and required resources. > > > > I think so. It isn't the perfect solution but it is what will likely be the > > most > > successful/practical. > > > > > Should this be unified between Node.js / npm, Go, Rust / Cargo and > > > Python / Pipfile? > > > > I don't think it makes sense to dictate that and make a hard rule. Where > > there > > are many dependencies and we can't easily control the dependency mechanism > > in > > the language, yes. Not everything has as granular dependencies as npm > > though. > > But do we have a consensus that we prefer existing lock files and a > specific fetcher instead of a multi line SRC_URI generated by recipetool?
I think either can be acceptable, it really depends on the situation. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1434): https://lists.openembedded.org/g/openembedded-architecture/message/1434 Mute This Topic: https://lists.openembedded.org/mt/88417908/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
