We use dep at work and commit the vendor folder. The main benefit we see is that it ensures consistent builds across machines, tends to be faster, and allows offline development. assuming you don’t have to use a third party security or infrastructure team to download the dependencies. If you do then it can be a bit of a nuisance because they need the tooling on their machine. Committing the vendor folder is a lot less effort than alternative solutions from my experience in similarly restrictive environments. On Thu, Dec 13, 2018 at 09:00, akshita babel <akshitababel.1...@gmail.com> wrote:
> Hey, can anyone guide me on how to take octet stream as input in API > and/or how to convert octet stream to byte array using golang > > On Thu, Dec 13, 2018 at 5:14 PM snmed <sandro.p.da...@gmail.com> wrote: > >> I'm not sure if i fully understand your point on "vetted binaries", but >> if every source code is vetted and then transferred to the isolated >> environment, there should not be a problem with security issues. All the >> developer machine living already in the same isolated environment and also >> i would place athens there, so all builds will be made with vetted source >> code. >> >> It's easily possible that i miss some import point in this scenario, but >> anyway i will verify your idea and take it into account for our go >> development strategy. >> >> Am Donnerstag, 13. Dezember 2018 10:38:30 UTC+1 schrieb ohir: >>> >>> On Wed, 12 Dec 2018 22:15:23 -0800 (PST) >>> snmed <sandro....@gmail.com> wrote: >>> >>> > Thank you very much for your reply. It seems to be a possible way to >>> do it, >>> > what do you think about the athens way? >>> >>> From the secop pov it'll be a hells gate. Also it does not allow for >>> vetted binary arifacts as current unix/Go ways do. >>> >>> > what do you think about the athens way? >>> >>> 1) Athens is in flux. 2) It is yet another complicated piece of software >>> to analyze and monitor. 3) It again brings all compiling to the local >>> machine while GOPATH way allows all devs to use binary artifacts built >>> on the hardened builder machine. >>> >>> > In my point of view it would be the easiest way as far i can preload >>> the >>> > athens cache with all the required packages. >>> >>> So the security team will need to produce an internal vetted package >>> instead >>> of signing a tag within the IDP 3rd party package repo. >>> >>> (IMO whole idea of "zipped packages" is the bad J-flu infection... Ah - >>> CoC) >>> >>> > And then the only thing a developer has to do, is to set the GOPROXY >>> to the >>> > athens instance. >>> >>> It fits loose distributed settings. Not controlled ones. And I -- from >>> "offline"/"airgap" constraint -- assumed that your client is concerned >>> about >>> security, not about connectivity. >>> >>> Hope this helps, >>> >>> -- >>> Wojciech S. Czarnecki >>> << ^oo^ >> OHIR-RIPE >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "golang-nuts" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to golang-nuts+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- - sent from my mobile -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
