Show threadAndrii Mishkovskyi 🇺🇦Feb 11
It's otherwise a fine article, I should not be so up in arms about a small timeline issue https://nesbitt.io/2026/02/10/lockfiles-killed-vendoring.html #packaging #vendoring #lockfiles
Lockfiles Killed Vendoring

Why almost nobody vendors their dependencies anymore.

Andrew Nesbitt
David GuillotAug 12, 2025

🚀 Just simplified the #frontend workflow of my #django project template, with the #nobuild approach and the #vendoring of CSS/JS dependencies.

More details in an upcoming blog post soon. https://codeberg.org/David-Guillot/django-project-template

#webdev

django-project-template

A proposal for starting working with Django at a professional level. :warning: To start your own project, don't fork, use the "Use this template" button!

Codeberg.org
Show threadPaul MeyerMar 22, 2025

If you want to learn more about gobuild.nix and why we need it, checkout my talk at FOSDEM this year:
https://fosdem.org/2025/schedule/event/fosdem-2025-5654-go-in-the-nix-ecosystem-vulnerability-scanning-and-experiments-towards-a-next-gen-builder/

#Nix #nixpkgs #golang #vendoring

FOSDEM 2025 - Go in the Nix ecosystem: vulnerability scanning and experiments towards a next-gen builder

Paul MeyerMar 22, 2025

#OceanSprint 2025 is over, it was an great experience!

I mostly worked on gobuild.nix, a next-generation builder for Go in nixpkgs. gobuild.nix removes vendoring for Go packages in nixpkgs, modeling the full dependency graph in Nix. Each module dependency will be its own derivation, including build cache on a module level.

During the sprint, I moved gobuild.nix from linking dependency source into a vendor directory to providing a local directory that can be used as GOPROXY. This is both more versatile and simple.

Together with @britter I started implementing a code generation tool that will help to package the large number of packages that will be part of the Go dependencies package set. The tool generates the Nix code for these packages, including the FOD hashes.

#Nix #nixpkgs #golang #vendoring

GitHub - katexochen/gobuild.nix: Experiment in new Go builders for Nix (not a go2nix tool)

Experiment in new Go builders for Nix (not a go2nix tool) - katexochen/gobuild.nix

GitHub
रञ्जित (Ranjit Mathew)Jan 25, 2025

“Build It Yourself”, Armin Ronacher (https://lucumr.pocoo.org/2025/1/24/build-it-yourself/).

Via HN: https://news.ycombinator.com/item?id=42812641

On Lobsters: https://lobste.rs/s/a5vkze/build_it_yourself

“A little copying is better than a little dependency.” – Rob Pike.

#Dependencies #Programming #DependencyHell #Rust #Cargo #Bloat #Vendoring

Build It Yourself

We need a vibe shift on dependencies in programming.

Armin Ronacher's Thoughts and Writings
रञ्जित (Ranjit Mathew)Dec 29, 2023

“Cold-Blooded Software”, Patrick Dubroy (https://dubroy.com/blog/cold-blooded-software/).

On HN: https://news.ycombinator.com/item?id=38793206

On Lobsters: https://lobste.rs/s/hitos3/cold_blooded_software

#ColdBlooded #DependencyHell #BoringTechnology #Simplicity #Vendoring #Dependencies #ChangeManagement

Cold-blooded software

Show threadElias ProbstSep 14, 2023
@hexa vendoring is the root of all evil.
I'd love to live in an ideal world, where #vendoring simply doesn't exist!
रञ्जित (Ranjit Mathew)Apr 9, 2022

"How Go Mitigates Supply Chain Attacks", The Go Blog (https://go.dev/blog/supply-chain).

On HN: https://news.ycombinator.com/item?id=30869261

#Go #GoLang #Packages #VersionControl #GoMod #Vendoring #Dependencies #Security #ComputerSecurity #ChecksumDatabase #Build #RemoteCodeExecution #DependencyManagement

How Go Mitigates Supply Chain Attacks - The Go Programming Language

Go tooling and design help mitigate supply chain attacks at various stages.