6 Apr
2024
6 Apr
'24
15:13
Can I just throw in, that this is something we should maybe take upstream? Just recently I packaged ipp-usb, which needed to go through a security audit [1], where, the audit revealed that the single dependency (gladly it was only one), was different than upstream git _or_ tarball, fetched by obs-service-go_modules. but in that regard it's basically unverifiable without actually running go mod vendor yourself, and verifying that the code is the same. (as only tests were missing, and it was a single dependency, I just packaged it seperately). [1] https://build.opensuse.org/request/show/1164374