On Tue, 2022-01-18 at 15:00 +0100, Stefan Herbrechtsmeier wrote:
Am 18.01.2022 um 14:40 schrieb Richard Purdie:
On Tue, 2022-01-18 at 14:00 +0100, Stefan Herbrechtsmeier wrote:But do we have a consensus that we prefer existing lock files and a
In summary we use a language specific lock file based approach whichI think so. It isn't the perfect solution but it is what will likely be the most
support offline build, license checks and CVE scans and leaves the
dependency management and fixing outside of OE to limit the recipe count
and required resources.
Should this be unified between Node.js / npm, Go, Rust / Cargo andI don't think it makes sense to dictate that and make a hard rule. Where there
Python / Pipfile?
are many dependencies and we can't easily control the dependency mechanism in
the language, yes. Not everything has as granular dependencies as npm though.
specific fetcher instead of a multi line SRC_URI generated by recipetool?
I think either can be acceptable, it really depends on the situation.