Remember all those issues with npm ? The Java ecosystem has a different kind of those

@tcit oh my!
Well, npm, java… but it's valid for all those languages which assume it's a good idea to bypass the OS package management.

@mmu_man For instance, npmjs has over 800k packages, Maven 300k and packagist over 200k. Do you expect OS package management maintainers to have them all ?

Marrant, le CPAN est toujours premier 😊 (npm ne compte pas, t'as généralement entre 10 et 50 modules pour la même fonctionnalité)

@tcit well, maybe at least they could reuse some good practices (like proper signing of binaries with GPG)

@tcit For ex, requirement files could include SHAsums of the deps (for some versions).
Devs could still override checksum checks and use newer deps if they want for testing.

We do this in HaikuPorts recipes:

@mmu_man NodeJS modules already have a sha512 hash integrity check. Packagist seems to provide the same thing.

@tcit hmm yes but where does it get the hashes? if it's from the same source…

Sign in to participate in the conversation
Mastodon by tcit

Hi there !