One shortcoming I see in this proposal compared to dep is the necessity of operating a proxy to achieve reasonable security. Without a proxy or a lock file, a repository take-over as it happened in the case of go-bindata will lead to vgo automatically downloading potentially malicious code.
In the case of dep the lock file ensures that the exact commit hash is fetched until "dep ensure -update" is run explicitly, even if the git tag itself has been changed point to a different commit. If the vendor directory is committed to VCS, the build continues to work safely irrespective of what happens in Github or any other repository host. -- Chandra Sekar.S On Tue, Feb 20, 2018 at 10:50 PM, Russ Cox <r...@golang.org> wrote: > Hi everyone, > > I have a new blog post you might be interested in. > https://research.swtch.com/vgo. > > I'll try to watch this thread to answer any questions. > > Best, > Russ > > > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
