Le 2019-03-11 19:15, Matthew Dempsky a écrit :
On Mon, Mar 11, 2019 at 11:09 AM Florian Weimer
<fweimer(a)redhat.com>
wrote:
> How do you plan to bypass the notary requirement?
I don't work on the Go-inside-Google integration work, so someone else
may have to weigh in if it's appropriate to share those plans. My
point with mentioning Google's hermetic build system is more to
emphasize that the Go developers are very familiar with that build
model and care about keeping it working. The claims that the Go module
system is being built without consideration of those requirements seem
very mistaken.
That said, the notary is only involved when adding new lines to the
go.sum file to handle adding or updating dependencies. There's no
requirement to contact the Go notary when the go.sum file is already
complete.
Which we be pretty much the case all the time for us, since we build
against out own curated set of modules, not the ones upstream found on
the Internet.
In fact, I'm pretty sure we will start each build by removing the
upstream go.sum file altogether.
Regards,
--
Nicolas Mailhot