I would love to have it removed, and in fact, I plan in my personal time to blog post and talk more about not storing someone else code in your own repository and why the vendor is (IMO) evil (: I hope also to help in any tooling that will fix the malicious dep problem without vendoring as well.
Anyway, I fully agree with Björn that there is no urgent need, so I don't have a strong opinion to fix this in Prometheus now, but anyway I would love to hear more opinions on the incoming DevSummit +1 Looks like thanks to Björn we already have that on our agenda. Thanks for raising this Sylvain. Kind Regards, Bartek On Thu, 12 Mar 2020 at 16:47, Julien Pivotto <[email protected]> wrote: > On 12 Mar 17:42, Bjoern Rabenstein wrote: > > On 11.03.20 23:58, Sylvain Rabot wrote: > > > Several maintainers have given their thoughts on the subjects now. > > > > > > What would be the next step ? > > > > > > Should this be put to a vote ? > > > > We could. > > > > My personal opinion is that if somebody commits to do the work of > > changing our build processes to not use/have the `vendor` directory, > > I'd be for it. > > > > However, from the mail conversation and also from some personal > > communication I had with a few team members, there are many who don't > > really want to change the status quo right now, and some even prefer > > to keep the `vendor` directory around. > > > > Since the current state doesn't really block any other feature > > development, and since the appetite for change doesn't seem to be very > > high generally, I would say this is not super pressing at the moment, > > and I wouldn't spin up the machinery of a formal vote for it right > > now. It might, however, be a great topic to discuss at the next > > developer summit. I have already added it to the agenda. (It was > > planned to happen during KubeCon EU. Since the latter has been > > postponed, we might do a virtual summit, but that's not finalized > > yet.) > > After reading everything, I personally don't object to remove the vendor > directory. My personal gut is to keep it but there don't seem to be a > lot of good technical reasons to do so. > > My very preferred choice would be to remove it but still to archive a > 'vendor' directory within our CI process (next to the binaries?) to > ensure we still have the exact code around. > > +1 to put it on the dev summit agenda. > > -- > (o- Julien Pivotto > //\ Open-Source Consultant > V_/_ Inuits - https://www.inuits.eu > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/20200312164709.GA21031%40oxygen > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAMssQwYMRzrpwWAZ4xGAzLp7jDdn1rHC%2B8Tb9vGuz6%2Bcrj4U%2BQ%40mail.gmail.com.
