Am 18.01.2022 um 14:40 schrieb Richard Purdie:

On Tue, 2022-01-18 at 14:00 +0100, Stefan Herbrechtsmeier wrote:

In summary we use a language specific lock file based approach which
support offline build, license checks and CVE scans and leaves the
dependency management and fixing outside of OE to limit the recipe count
and required resources.

I think so. It isn't the perfect solution but it is what will likely be the most
successful/practical.

Should this be unified between Node.js / npm, Go, Rust / Cargo and
Python / Pipfile?

I don't think it makes sense to dictate that and make a hard rule. Where there
are many dependencies and we can't easily control the dependency mechanism in
the language, yes. Not everything has as granular dependencies as npm though.

But do we have a consensus that we prefer existing lock files and a
specific fetcher instead of a multi line SRC_URI generated by recipetool?