Open Stack

Jim Rollenhagen writes:

> On Wed, May 11, 2016 at 03:36:09PM +0200, Thomas Goirand wrote:
>> On 05/11/2016 02:41 PM, Jim Rollenhagen wrote:
>> >> Installing from $language manager instead of distro 
>> >> packages, be it in containers or not, will almost always 
>> >> make you download random blobs from the Internet, which are 
>> >> of course changing over time without any notice, loosing the 
>> >> above 3 important features.
>> >
>> > Unless you pin the versions of your dependencies.
>>
>> Pinning versions doesn't change the fact that you'll have to 
>> trust a large amount of providers, with some of the files 
>> stored in a single location on the Internet. Yes, you can add a 
>> cache, etc. but these are band-aids...
>
> Well, if we're talking about python, it all comes from PyPI. For 
> Go, the recommendation is for everything to come from Github, 
> but you can choose other sources if you desire.
>

To clarify, Go best practices are to checkout the repo into a 
vendor directory that must be updated explicitly. While not 
everyone commits the vendored deps, I'd argue it is a reasonable 
practice, which means that at build time within a CI system, there 
should be *NO* dependencies resolved. Tools such as glide 
(https://github.com/Masterminds/glide) also create a `glide.lock` 
that provides the dependencies from the latest build, that can be 
checked into source control.

--

Eric Larson         | eric.larson at rackspace.com Software Developer 
| Cloud DNS | OpenStack Designate Rackspace Hosting   | Austin, 
Texas