in theory, sure. In practice, not always. We've had really difficult individuals who refused to be bothered with going through proper license review. Some of them don't work here any more.
In once case it was a team lead, so peer review would not work, since the whole team "learned" to ignore proper procedures. That is why we finally forced mirroring of JS NPM packages in our network and from then on were able to lock it down finally. All Java devs know the rules and with Gradle and build servers locked down, they all follow the rules. But checking in 3rd party source code directly into our repo is a nasty way to bypass all of this. Just to give you an idea, for SOC2 we get audited by an auditor. They can go through all of our build procedures, source code, etc. If they don't like what they see (and this would probably qualify) we fail the audit. This goes straight to the CEO and gets communicated to customers. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
