July 5, 2026
Git or get hit
Dependencies should be fetched directly from VCS
Why coders are fighting over where apps should grab their parts
TLDR: The article argues software should fetch add-on code directly from its original source, because separate package stores make it easier for attackers to slip in hidden changes. Commenters were split: some called this a smarter, safer model, while others said it risks broken links, vanished projects, and fresh chaos.
A Ruby developer wandered back from the land of Go and dropped a spicy claim: software dependencies — the little add-on code packages apps rely on — should be pulled straight from the original code repository, not from a separate app store-style registry. His argument is simple enough for non-coders too: if you fetch code directly from where it was written, it’s easier to see what changed and harder for someone to sneak in surprises during the “packing and publishing” step. He points to recent supply-chain scares, from npm account takeovers to the infamous left-pad meltdown, as proof that the real chaos often happens when code gets repackaged, not when it sits in public view.
But the comments? Absolute food fight. One camp basically yelled, “Yes, finally, someone gets it,” with one reader saying Go’s setup is so good that people are missing the point entirely. The other camp came in swinging with the wet blanket realism: published packages often aren’t the same as raw source code, because they need extra build steps, compiled bits, or cleanup before they’re usable. Others warned that trusting random code hosts to stay online forever is its own horror movie, while veterans dragged out the ancient left-pad trauma like internet war stories. The vibe was less “problem solved” and more pick your poison: centralized package hubs can be risky, but depending on code hosts alone might just swap one disaster for another.
Key Points
- •The article argues that Go’s dependency model fetches code directly from version control by URL, avoiding a separate package publishing step.
- •Go Modules use go.mod as both a dependency specification and lock file, recording exact versions and the full dependency tree.
- •The article says Go verifies hashes with sum.golang.org and uses a proxy to reduce risks such as tag replacement and dependency disappearance.
- •It contrasts this with RubyGems, where published .gem archives can differ from source repositories and are harder to audit because commit history is not preserved in the artifact review process.
- •The article links many software supply-chain incidents to the package publishing step, citing npm compromises, the xz release incident, and the 2018 event-stream/flatmap-stream case.