The approach I take with most of my projects especially noscrypt:
Discussion
Rob Pike (I think) advocated for rather copying code you need into your codebase instead of a dependency.
In case of public key cryptography and ECC specifically, why do you even need a library. It's all known and pretty much immutable. And like 50 lines of code ...
Yeah I learned it as "vendoring". Extremely common in C applications (exactly what I do most of the time)
> why do you even need a library
Audits, eyeballs, security, correctness, tests, iterations. People around here be rolling there own database column encryption...
I have no intentions of rewriting libsecp256k1, mbedtls AES and ChaCha etc.
i pulled in btcec to my #realy because it involved a heap of dependencies including decred, where the actual schnorr library lives
but the cgo secp256k1 library it is just pulled in via regular dynamic linking
Sorry poor wording. I didn't mean to rewrite it, I meant to vendor it.
Got it! It reminded me of the last 2 dependencies one of my projects needs (zlib and brotli) just staged up last night
#golang has very strong protection against bad commits on dependencies, the go.sum file records version and hash and unless you manually update them they stay stable, and the go module caching service they run keeps that alive even if the original disappears, pretty sure they don't delete very much stuff off it either unless it's really old