|
|
|
|
|
|
by pcwalton
2883 days ago
|
|
|
> Lock files also remove the "silent security fix" that was touted as the benefit of other systems. That is the great thing about lock files. You don't have to check them in. If you want reproducible builds, you do check them in. If you don't, you don't. The user, not the package manager, gets to make this choice on a case-by-case basis. > The difference is in default behavior of the system: vgo by default picks predictable, consistent version of dependencies. That version doesn't change if dependencies release new versions. And that right there is the problem. You don't get the latest version unless you explicitly ask for it. This makes the user do what a package manager is perfectly capable of doing. It thrusts the problem onto the user instead of applying a well-known solution that was causing problems for nobody. If you are writing an application, don't you want your transitive dependencies to get security fixes without having to trawl through the tree? |
|
|