Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: vendor ocm #1168

Closed
wants to merge 1 commit into from
Closed

chore: vendor ocm #1168

wants to merge 1 commit into from

Conversation

jakobmoellerdev
Copy link
Contributor

What this PR does / why we need it

This is a PR that vendors the OCM Dependency Chain.

Why?

Go Modules takes care of versioning, but it doesn't necessarily take care of modules disappearing off the Internet or the Internet not being available. If a module is not available, the code cannot be built.

For OCM this is relevant for 2 reasons:

  1. We have a huge dependency graph, and simply rebuilding with a full build cache takes 1 minute on a fast network
  2. We are a build CLI that is critically important regarding versioned dependencies. If a dependency drops from the go module proxy, we have no alternative without a vendored version to build OCM. this is a potential attack vector for a supply chain attack.

Which issue(s) this PR fixes

@github-actions github-actions bot added kind/chore chore, maintenance, etc. size/xl Extra large labels Nov 30, 2024
@github-actions GitHub Actions
Copy link
Contributor

This PR exceeds the recommended size of 10000 lines. Please make sure you are NOT addressing multiple issues with one PR. Note this PR might be rejected due to its size.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
kind/chore chore, maintenance, etc. size/xl Extra large
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jakobmoellerdev