This doesn't really help you. I assume Go records the sha1 hash of the commit it... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		kelnos 13 days ago \| parent \| context \| favorite \| on: Shai-Hulud malware attack: Tinycolor and over 40 N... This doesn't really help you. I assume Go records the sha1 hash of the commit it grabs, so it doesn't really matter if you vendor it, or download it every time. The problem comes when you want to upgrade your dependencies. How do you know that they are trustworthy on first use?

cyberax 13 days ago [–]

Go uses the hash of the source code, not the commit ID. So there's no difference between vendoring and using the central repo.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact