Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature - Vendor dependencies for hermetic builds #1188

Closed
naveensrinivasan opened this issue Oct 28, 2021 · 10 comments
Closed

Feature - Vendor dependencies for hermetic builds #1188

naveensrinivasan opened this issue Oct 28, 2021 · 10 comments
Labels
kind/enhancement New feature or request needs discussion Stale
Projects
Scorecard

Comments

@naveensrinivasan
Copy link
Member

Is your feature request related to a problem? Please describe.
Vendor dependencies for hermetic builds.
@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 1, 2021
edited

Can you elaborate a little more?

  1. Is this "let's do it for scorecard builds" or "let's add a check in scorecard"?
  2. What do you mean by vendored dependencies? Is it like hash pinning? Or you're thinking of "runtime" vendored dependencies (fetch dependencies then build without network access)? If the former, what are the advantages of vendored vs hash pinning? Are tools like dependabot/renovabot able to update dependencies that are copied/vendored into a repo?

@naveensrinivasan
Copy link
Member Author

Can you elaborate a little more?

  1. Is this "let's do it for scorecard builds" or "let's add a check in scorecard"?

Let's do it for scorecard builds

  1. What do you mean by vendored dependencies? Is it like hash pinning? Or you're thinking of "runtime" vendored dependencies (fetch dependencies then build without network access)? If the former, what are the advantages of vendored vs hash pinning? Are tools like dependabot/renovabot able to update dependencies that are copied/vendored into a repo?

runtime vendored go mod vendor - Download the dependencies so that we can build without network access. Dependabot can update vendored dependencies.

@laurentsimon
Copy link
Contributor

where does go stored the vendored dependencies?

@naveensrinivasan
Copy link
Member Author

https://golang.org/ref/mod#go-mod-vendor /vendor and here are a couple of examples

@naveensrinivasan naveensrinivasan mentioned this issue Nov 2, 2021
Closed
2 tasks
@laurentsimon
Copy link
Contributor

do you know how much latency this would add to the download of the tarball?
Let's add this topic to the agenda for next meeting?

@naveensrinivasan
Copy link
Member Author

do you know how much latency this would add to the download of the tarball?
Could you please explain which tarball? The Scorecard or our dependencies.

Let's add this topic to the agenda for next meeting?
Yes I will.

@github-actions
Copy link

github-actions bot commented Jan 4, 2022

Stale issue message

@laurentsimon laurentsimon reopened this Jan 11, 2022
@justaugustus justaugustus added this to Backlog in Scorecard Feb 22, 2022
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 5, 2023

This issue is stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Nov 5, 2023
@afmarcum afmarcum removed the slsa label Feb 29, 2024
@justaugustus
Copy link
Member

@naveensrinivasan — do we know if there was further discussion here?

@justaugustus
Copy link
Member

Closing as not planned given the discussion in #1208.

@justaugustus justaugustus closed this as not planned Won't fix, can't repro, duplicate, stale May 16, 2024
Scorecard automation moved this from Backlog to Done May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement New feature or request needs discussion Stale
Projects
Scorecard
Done
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🌱 Vendor dependencies ossf/scorecard
4 participants
@naveensrinivasan @justaugustus @laurentsimon @afmarcum