Drop FOSSA?
Opened this issue · 2 comments
200sc commented
Every time FOSSA tells us anything about a PR, it's always wrong. Right now it's just alert fatigue and having to go in manually and tell FOSSA "no we aren't importing ffmpeg code" or etc makes our builds red when they aren't (like 5ba729b, the current commit) and is a bad look.
200sc commented
@Implausiblyfun Thoughts? I'm inclined to just drop it.
Implausiblyfun commented
Per discussion we will drop FOSSA and go to a strategy where we pin dependencies and store a file with the hashes. That way we can make sure that we are manually checking.