You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As also requested for syft, in syft/#2622, it would be great, if the vendor-dir could be included in the released artifacts.
What would you like to be added: To have an available and consistent dependency package for distributions that want to distribute grype.
Why is this needed:
For source packages, some (many/all?) distributions require all artifacts to build the package (including their dependencies) to be present if not relying on distribution specific library/include dependencies (which would be rather unusual for a go package). These dependencies also need to be available for offline usage and may not be fetched at compile time through the language-specific module resolver (i.e. go mod download or npm i). Usually this results in someone creating a tarball of the deps as vendor dir. But this tarball could be much easier created and made available by the source package (here) rather than by each distribution package maintainer. Also, there would be higher consistency across distributions when made available from an authoritative party.
As also requested for syft, in syft/#2622, it would be great, if the vendor-dir could be included in the released artifacts.
What would you like to be added: To have an available and consistent dependency package for distributions that want to distribute grype.
Why is this needed:
For source packages, some (many/all?) distributions require all artifacts to build the package (including their dependencies) to be present if not relying on distribution specific library/include dependencies (which would be rather unusual for a go package). These dependencies also need to be available for offline usage and may not be fetched at compile time through the language-specific module resolver (i.e. go mod download or npm i). Usually this results in someone creating a tarball of the deps as
vendor
dir. But this tarball could be much easier created and made available by the source package (here) rather than by each distribution package maintainer. Also, there would be higher consistency across distributions when made available from an authoritative party.Additional context:
Example: Gentoo's grype package has a tarball of all dependencies at https://dev.gentoo.org/~williamh/dist/grype-0.73.0-deps.tar.xz which makes the whole package update process unnecessarily complicated.
The text was updated successfully, but these errors were encountered: