Out of curiosity if the upstream deletes their repo does a force push invalidating a sha or in some other way causes a dangling reference how do you protect against that without checking the dependency in? I'm thinking about the recent issue in March with npm ( http://m.theregister.co.uk/2016/03/23/npm_left_pad_chaos/). Does it allow for intermediate caches like nexus?
On Wed, 13 Jul 2016 at 01:07, Sean Russell <seaneruss...@gmail.com> wrote: > On Tuesday, July 12, 2016 at 4:25:42 PM UTC-4, Peter Mogensen wrote: > > gvt > > > > It's KISS and does the job. > > +1 > > gvt is the best I've used. > > * It doesn't force checking in the dependencies > * The manifest is straightforward and easily committed separately > * It's nicely encapsulated entirely in the vendor/ directory > * The commands are straightforward and easy to understand and remember > * The manifest is easily hackable to get around the issues with private > repositories that most (all?) vendoring tools have > * It doesn't force a workflow on the users; it is minimally invasive > > --- SER > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
