On 09.03.20 19:59, Bartłomiej Płotka wrote: > > I think the main argument for having a vendor folder is to be safe on a > malicious act of dependency actor, which removes or compromises the > dependency. > Anyone can replace the code for a given tag anytime really (: Given that it > never happened, not sure if worth pursuing. Wonder why no one thought about > some separate repo solution just for deps then (:
That's what the various go-modules proxies are for. And `go.sum` to make sure that nobody is injecting modified code. In my understanding, the main reason for the `vendor` directory is that building from vendored sources in the `vendor` directory is an officially supported feature (introduced in Go 1.11), which should be kept working, at least for a while, to allow a smoother transition from previous build workflows to the go-modules one. >From that perspective (and IMHO), the `vendor` directory can be removed once most of the Prometheus community has fully embraced go-modules. Personally, my main concern is that that's not so easy to assess. The whole go-modules thing is not exactly uncontroversial even in the Go community at large. -- Björn Rabenstein [PGP-ID] 0x851C3DA17D748D03 [email] [email protected] -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20200310124142.GL14683%40jahnn.
