On Mon, Mar 11, 2019 at 11:09 AM Florian Weimer <fweimer(a)redhat.com> wrote:
How do you plan to bypass the notary requirement?
I don't work on the Go-inside-Google integration work, so someone else may
have to weigh in if it's appropriate to share those plans. My point with
mentioning Google's hermetic build system is more to emphasize that the Go
developers are very familiar with that build model and care about keeping
it working. The claims that the Go module system is being built without
consideration of those requirements seem very mistaken.
That said, the notary is only involved when adding new lines to the go.sum
file to handle adding or updating dependencies. There's no requirement to
contact the Go notary when the go.sum file is already complete.