On Mon, 12 Apr 2021 at 13:47, Juergen Landwehr <[email protected]> wrote:
> But dependency management in go is not that arbitrary as it may seem. > Dependencies and their version is stored in "go.mod". To ensure > reproducable builds, hashes for each dependency and version are stored in > "go.sum". Both files are in git and together with a local golang proxy, > this should ensure reproducable builds, right? > Reproducibility means anyone can run a build at any point in the future even if the upstream repositories are gone, so all inputs must be stored in a local download cache, which is the other thing SRC_URI guarantees, in addition to verifying integrity of the inputs. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#53081): https://lists.yoctoproject.org/g/yocto/message/53081 Mute This Topic: https://lists.yoctoproject.org/mt/81968964/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
