Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ...
Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ...
Posted Jan 27, 2025 20:50 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)In reply to: Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ... by ms
Parent article: Vendoring Go packages by default in Fedora
> I don't know whether that's cryptographically signable, but I would have thought that would go a long way towards SBOM etc.
It is! You can cryptographically safely go from a git reference (or a source code hash) to the resulting binary.