![]() The plus-side of git submodule is that it tracks the commit hashes of submodules, and you can check them all out at the right hash with either a git clone -recursive or a git submodule update -init -recursive. And Metre is meant to be all about security. The problem is that one slip and a dependency could be left with a serious security issue in. Pete, one of our senior devs, conducted a full review of the project and highlighted it too. Simon The Security Guy wasn't happy with this. Initially, I went for git submodule and a lot of manual work. This needs to be as simple as possible - really, a single command we can run as we need to.īut, we want to have high confidence that checking out a particular commit hash of Metre will give us the same dependencies we built with. In practical terms, then, our release cycle involves advancing along a stable branch on all the submodules, such that we're confident that we've picked up any bugfixes. ![]() It's pretty terrifying for me, too, actually. Yay, fun!īut that means managing and shipping our own build of OpenSSL, for example - and that's a terrifying prospect for our Security Guy (lovely chap called Simon). It's got a slew of submodules, in part because some of our customers run (really) ancient versions of Linux and so we're going to need to statically link. Git's submodules are so universally derided that there's practically an entire industry devoted to providing alternatives for managing dependencies.īut like anything in git, it's often worth giving the man-pages a good going-over and figuring out whether there's some options that do what you want, or to see if they've improved lately.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |