Just to briefly note the discussion in https://github.com/golang/go/issues/27858 (and other issues linked within that one). On Fri, 14 Dec 2018 at 15:00, David Riley <fraveyd...@gmail.com> wrote: > > Hi all, > > We're building with go 1.10.x and dep for a project at work, and having been > bitten twice in the space of a week with unversioned upstream executables > fetched via "go get" causing strife with versioned vendor code fetched by > "dep", we've been working on making our build environment hermetic (we'll be > moving to modules soon when we move to 1.11, especially because we use > Artifactory, which supports vgo registries so we can protect our build chain, > but for now we're stuck with dep). > > Our common solution for this is to make sure the tool is put in the > "required" stanza in Gopkg.toml, then running "dep ensure" to make sure it > ends up in the Gopkg.lock file so the Docker build can pick it up when it > runs "dep ensure --vendor-only". This works pretty well for protoc-gen-go > from protobuf and mockgen (the two tools that broke our build this past > week), but I also want to do the same for goyacc, which lives in > golang.org/x/tools. > > I notice that nothing from the golang.org repository is at all versioned, so > as far as I can tell, it all comes from the master branch. How do I version > these to ensure that they don't break with older/other Go versions? Is there > some sort of guarantee that they'll work at least n revisions back? I'm > already extremely skeptical about the practice of just fetching all packages > from git repositories, given how easy it is to slip malicious code in that > way, so requiring a "go get" for those tools doesn't exactly give me the warm > and fuzzies. > > > - Dave > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout.
-- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
