Drop FOSSA?

Question

Drop FOSSA?

Opened this issue 3 years ago · 2 comments

Every time FOSSA tells us anything about a PR, it's always wrong. Right now it's just alert fatigue and having to go in manually and tell FOSSA "no we aren't importing ffmpeg code" or etc makes our builds red when they aren't (like 5ba729b, the current commit) and is a bad look.

Answer 1 · 2022-03-06T17:51:25.000Z

@Implausiblyfun Thoughts? I'm inclined to just drop it.

Answer 2 · 2022-03-12T17:56:32.000Z

Per discussion we will drop FOSSA and go to a strategy where we pin dependencies and store a file with the hashes. That way we can make sure that we are manually checking.