Tag
The author argues that fetching dependencies directly from VCS (as done in Go) is more secure and easier to audit than using package registries with a publish step (as in Ruby, npm, PyPI).