@tcit oh my!
Well, npm, java… but it's valid for all those languages which assume it's a good idea to bypass the OS package management.
@mmu_man For instance, npmjs has over 800k packages, Maven 300k and packagist over 200k. Do you expect OS package management maintainers to have them all ?
Interesting data by the way http://www.modulecounts.com/
@tcit Application error
@mmu_man Fediverse killed it
@tcit Fediverse is the new Slashdot™
Marrant, le CPAN est toujours premier 😊 (npm ne compte pas, t'as généralement entre 10 et 50 modules pour la même fonctionnalité)
@tcit well, maybe at least they could reuse some good practices (like proper signing of binaries with GPG)
@mmu_man That a very good point.
@tcit For ex, requirement files could include SHAsums of the deps (for some versions).
Devs could still override checksum checks and use newer deps if they want for testing.
We do this in HaikuPorts recipes:
@mmu_man NodeJS modules already have a sha512 hash integrity check. Packagist seems to provide the same thing.
@tcit hmm yes but where does it get the hashes? if it's from the same source…
Hi there !