@@ -164,6 +164,105 @@ that trade is clearly worthwhile. In others, it introduces more cost than benefi
164164Used intentionally and with an understanding of its limitations, vendoring is
165165simply one tool among many for managing dependencies.
166166
167+ Best Practices
168+ --------------
169+
170+ The following practices are drawn from our own usage of *Dfetch * and real-world policies and respected guidelines.
171+ They *mitigate * vendoring risks; they do not eliminate them.
172+
173+ .. admonition :: Explicit Version Pinning and Provenance
174+
175+ Every vendored dependency must be pinned to an explicit version, tag, or commit, and its source must be documented.
176+
177+ **Rationale** Vendored code is often added once and then forgotten. Without automation, vulnerabilities, license issues,
178+ and inconsistencies can persist unnoticed long after initial inclusion.
179+
180+ * pip: `vendor.txt` tracks versions and sources
181+ * Go/Kubernetes: `go.mod`, `go.sum`, `vendor/modules.txt`
182+ * Cargo: `Cargo.lock` + vendored sources
183+ * Guidelines: `OWASP SCVS <https://scvs.owasp.org/scvs/v1-inventory/>`_, OpenSSF, NIST SP 800-161, SLSA
184+
185+ *Dfetch* addresses this by having a declarative :ref:`manifest` and the option to :ref:`freeze` dependences to make each
186+ revision exiplicit.
187+
188+ .. admonition :: Reproducible and Offline Builds
189+
190+ Vendoring must enable fully reproducible and offline builds.
191+
192+ **Rationale** The point of vendoring code is to remove external dependencies, by making sure an offline build succeeds it is
193+ proven that builds are not dependent on external sources.
194+
195+ * Go: committed `vendor/`
196+ * Cargo: `.cargo/config.toml` + `cargo vendor`
197+ * pip: vendored wheels and pure-Python dependencies
198+ * Guidelines: SLSA, OpenSSF
199+
200+ *Dfetch* doesn't directly addresses this, this is a policy to follow.
201+
202+ .. admonition :: Do Not Review Vendored Code Line-by-Line
203+
204+ External vendored code is not reviewed line-by-line. Review focuses on *metadata*.
205+
206+ **Rationale** Reviewing external code will place a burden on maintainers.
207+ When first selecting an external dependency perform Due Diligence.
208+
209+ Reviewers verify:
210+
211+ * Version changes
212+ * Changelogs / release notes
213+ * License compatibility
214+ * CI and test results
215+
216+ This principle is explicitly aligned with:
217+
218+ * OWASP Software Component Verification Standard
219+ * Google Open Source Security Guidelines
220+ * OpenSSF Best Practices
221+
222+ *Dfetch* addresses this by having a manifest and a metadata file (``.dfetch_data.yaml``) which can be reviewed.
223+
224+ .. admonition :: Separation of Vendor Updates from Product Changes
225+
226+ Vendored dependency updates must be isolated from functional code changes.
227+
228+ * Separate PRs or commits
229+ * Clear commit messages documenting versions and rationale
230+
231+ **Rationale** By separation the review noise will be reduced, letting maintainers focus on important changes.
232+
233+ *Dfetch* doesn't address this directly.
234+
235+ .. admonition :: No Manual Modifications Without Documentation
236+
237+ Vendored code must not be modified directly unless unavoidable.
238+
239+ If modifications are required:
240+
241+ * Document patches explicitly
242+ * Prefer patch/overlay mechanisms
243+ * Upstream changes whenever possible
244+ * pip: documented adaptations
245+ * Cargo: `[patch]` mechanism
246+ * Guidelines: Google OSS, OWASP, OpenSSF
247+
248+ **Rationale** The vendored dependency may diverge, and patch rot
249+
250+ *Dfetch* addresses this by providing a ``dfetch diff`` (:ref:`Diff`) command and a ``patch`` :ref:`Patch` attribute in the manifest.
251+ Next to this there is a CI system to detect local changes using :ref:`Check`.
252+
253+ .. admonition :: Continuous Automation and Security Scanning
254+
255+ Vendored dependencies must be continuously verified through automation.
256+
257+ * CI verifies vendor consistency
258+ * Dependency and CVE scanning
259+ * SBOM generation
260+
261+ **Rationale** By copy-pasting a dependency, there may m=be silent security degradation since there is no automatic updates.
262+
263+ *Dfetch* addresses this by providing a ``dfetch check`` (:ref:`Check`) command to see if dependencies are out-of-date and
264+ various report formats (including SBoM) to check vulnerabilities.
265+
167266
168267-----------------------------------
169268
0 commit comments