On Fri, Jun 19, 2020 at 07:54:29AM -0700, Brian Adkins wrote: > On Friday, June 19, 2020 at 8:09:04 AM UTC-4, Neil Van Dyke wrote: > > > > For an important production system, you probably want the source of any > > third-party packages on which you depend to be in Git (or another SCM > > system) that you control. > > > > You might also want to audit those packages yourself, as well as audit > > any new version changes to them, before you push to production. > > > > After you do those things in SCM, depending how you do it, you *might* > > find it's more convenient to simply load the third-party code you need > > using the module system `require` only, without an additional package > > system. > > > > While I see some benefits of this approach, I just looked at a typical > Rails project of mine, and it has over 160 packages with some packages > depending on different versions of other packages, etc., so I think > managing all of this myself in git might be overly burdensome. Granted, my > current Racket apps have far fewer dependencies, but I expect that may > increase over time.
If you want to avoid problems with software you use changing unpredictably, you will have to have use your own copy that does not change at all. I don't see another alternative if your upstream source might change at any time. And you will likely have to vet any chaanges that appear upstream in case they actually do fix security-related issues that might already be affect you. It will be up to you to determine the risks of leaving your local copy unchanged. -- hendrik > > -- > You received this message because you are subscribed to the Google Groups > "Racket Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to racket-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/racket-users/32b8f70a-4033-43db-aca3-b30b9023f3a3o%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/racket-users/20200619193649.ks3gffy7wfggakkg%40topoi.pooq.com.
