We mirror the scheduler-plugins repository into our private build servers in order to comply with our secure software supply chain policies. There is governance and vulnerability automation that scans the repository for CVEs and licensing issues. Unfortunately, this repository uses Go vendoring which means two things:
When we pull in new upstream code, we need to pull in sometimes millions of lines of code (most of which is in the vendor/ folder) making it difficult if not impossible to know what outside of the dependencies has changed.
Our governance and CVE automation scans all the vendored code and alerts on everything it finds, and we need to manually change the go.mod file to include "fixed" versions of dependencies (many times there isn't, frankly, a usable version of a dependency because of incompatible 0-series versions, but we still have to struggle through trying to update the dependency anyway)
If this repo didn't use vendoring, our life would be a whole lot easier because a) there'd be a whole lot less code in the repository and Git commits and b) we could take advantage of modern Go module tooling that essentially obviates the need for vendoring entirely.
In the topologyawarewg and networkplumbingwg I've already merged PRs that remove vendoring from a bunch of their repos and that's helped tremendously in simplifying life for those of us who have to build components using internal build tooling. Would it be possible to remove vendoring from the scheduler-plugins repo?
What did you expect to happen?
n/a
How can we reproduce it (as minimally and precisely as possible)?
Area
Other components
No response
What happened?
We mirror the scheduler-plugins repository into our private build servers in order to comply with our secure software supply chain policies. There is governance and vulnerability automation that scans the repository for CVEs and licensing issues. Unfortunately, this repository uses Go vendoring which means two things:
vendor/
folder) making it difficult if not impossible to know what outside of the dependencies has changed.If this repo didn't use vendoring, our life would be a whole lot easier because a) there'd be a whole lot less code in the repository and Git commits and b) we could take advantage of modern Go module tooling that essentially obviates the need for vendoring entirely.
In the topologyawarewg and networkplumbingwg I've already merged PRs that remove vendoring from a bunch of their repos and that's helped tremendously in simplifying life for those of us who have to build components using internal build tooling. Would it be possible to remove vendoring from the scheduler-plugins repo?
What did you expect to happen?
n/a
How can we reproduce it (as minimally and precisely as possible)?
No response
Anything else we need to know?
No response
Kubernetes version
all
Scheduler Plugins version
all