On 10 Mar 13:41, Bjoern Rabenstein wrote: > On 09.03.20 19:59, Bartłomiej Płotka wrote: > > > > I think the main argument for having a vendor folder is to be safe on a > > malicious act of dependency actor, which removes or compromises the > > dependency. > > Anyone can replace the code for a given tag anytime really (: Given that it > > never happened, not sure if worth pursuing. Wonder why no one thought about > > some separate repo solution just for deps then (: > > That's what the various go-modules proxies are for. And `go.sum` to > make sure that nobody is injecting modified code. > > In my understanding, the main reason for the `vendor` directory is > that building from vendored sources in the `vendor` directory is an > officially supported feature (introduced in Go 1.11), which should be > kept working, at least for a while, to allow a smoother transition > from previous build workflows to the go-modules one. > > From that perspective (and IMHO), the `vendor` directory can be > removed once most of the Prometheus community has fully embraced > go-modules. Personally, my main concern is that that's not so easy to > assess. The whole go-modules thing is not exactly uncontroversial even > in the Go community at large.
As far as I know the main go proxies are maintained by google, and we can not afford hosting one for the project in the long term. Google is not really known for their long-term commitments. I know that in the past we wanted to rebuild old releases of prometheus and could not (for unrelated reasons!). If now (or in X years) the goproxy decides to garbage collect dependencies untouched for x months and the upstream is gone, rebuilding old releases will be even more difficult. My question about license check is still unanswered. I will ping CNCF about this question, too. > > -- > Björn Rabenstein > [PGP-ID] 0x851C3DA17D748D03 > [email] [email protected] -- (o- Julien Pivotto //\ Open-Source Consultant V_/_ Inuits - https://www.inuits.eu -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20200310124818.GA12158%40oxygen.
signature.asc
Description: PGP signature
