Hacker News new | ask | show | jobs
by kelnos 275 days ago
This doesn't really help you. I assume Go records the sha1 hash of the commit it grabs, so it doesn't really matter if you vendor it, or download it every time.

The problem comes when you want to upgrade your dependencies. How do you know that they are trustworthy on first use?
1 comments
cyberax 275 days ago
Go uses the hash of the source code, not the commit ID. So there's no difference between vendoring and using the central repo.
link