Dependencies should be fetched directly from VCS
Summary
A personal blog post arguing that dependencies should be fetched directly from version control systems to improve auditability and security. It contrasts Go's module system with RubyGems' publish-a-package model, discusses auditing challenges across Go, Ruby, and npm, and proposes ideas for more transparent, git-based dependency workflows.