oak icon indicating copy to clipboard operation
oak copied to clipboard
verified publisher icon oakmound

Drop FOSSA?

Open 200sc opened this issue 3 years ago • 2 comments

Every time FOSSA tells us anything about a PR, it's always wrong. Right now it's just alert fatigue and having to go in manually and tell FOSSA "no we aren't importing ffmpeg code" or etc makes our builds red when they aren't (like https://github.com/oakmound/oak/commit/5ba729bd62a02c9540f9385bc048f3d91a717de5, the current commit) and is a bad look.

200sc avatar Feb 05 '22 14:02 200sc

@Implausiblyfun Thoughts? I'm inclined to just drop it.

200sc avatar Mar 06 '22 17:03 200sc

Per discussion we will drop FOSSA and go to a strategy where we pin dependencies and store a file with the hashes. That way we can make sure that we are manually checking.

Implausiblyfun avatar Mar 12 '22 17:03 Implausiblyfun