Jim Rollenhagen writes:
On Wed, May 11, 2016 at 03:36:09PM +0200, Thomas Goirand wrote:
On 05/11/2016 02:41 PM, Jim Rollenhagen wrote:
>> Installing from $language manager instead of distro
>> packages, be it in containers or not, will almost always
>> make you download random blobs from the Internet, which are
>> of course changing over time without any notice, loosing the
>> above 3 important features.
>
> Unless you pin the versions of your dependencies.
Pinning versions doesn't change the fact that you'll have to
trust a large amount of providers, with some of the files
stored in a single location on the Internet. Yes, you can add a
cache, etc. but these are band-aids...
Well, if we're talking about python, it all comes from PyPI. For
Go, the recommendation is for everything to come from Github,
but you can choose other sources if you desire.
To clarify, Go best practices are to checkout the repo into a
vendor directory that must be updated explicitly. While not
everyone commits the vendored deps, I'd argue it is a reasonable
practice, which means that at build time within a CI system, there
should be *NO* dependencies resolved. Tools such as glide
(https://github.com/Masterminds/glide) also create a `glide.lock`
that provides the dependencies from the latest build, that can be
checked into source control.
--
Eric Larson | eric.lar...@rackspace.com Software Developer
| Cloud DNS | OpenStack Designate Rackspace Hosting | Austin,
Texas
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
