at, Jan 7, 2017, 9:04 AM Jacek Furmankiewicz
> wrote:
>
>> Hi Daniel.
>>
>> I participated in the great Go survey on dependency management a while
>> back and raised these concerns there.
>> I read the summary of that once it was completed and was kinda
>>
Hi Daniel.
I participated in the great Go survey on dependency management a while back
and raised these concerns there.
I read the summary of that once it was completed and was kinda disappointed
to see that none of this points seem to be getting addressed or even
acknowledged as a problem.
h
in theory, sure. In practice, not always.
We've had really difficult individuals who refused to be bothered with
going through proper license review.
Some of them don't work here any more.
In once case it was a team lead, so peer review would not work, since the
whole team "learned" to ignore p
I doubt that will fly. Once again there is little control.
Any developer can pull in any package they want and bypass central control
mechanism.
The HTTP proxy suggestion seems ingenious...but pretty hard to implement
from a network perspective.
We have developers in the office, we have develop
Thank you for your answer.
Issue is that it really is not much control with this approach.
Any developer could potentially pull any package, avoid license review and
just commit it to their project.
So there is no central point of control that can limit which libraries
(exactly down to particul
Hi everyone,
We are operating in a SOC2 environment, which our customers demanded as we
host their systems and their data.
It's a common requirement for many companies in a cloud environment.
One of the key requirements of SOC2 is that *all* external
libraries/depdencies are mirrored internally
