Remember all those issues with npm ? The Java ecosystem has a different kind of those

@tcit oh my!
Well, npm, java… but it's valid for all those languages which assume it's a good idea to bypass the OS package management.

@mmu_man For instance, npmjs has over 800k packages, Maven 300k and packagist over 200k. Do you expect OS package management maintainers to have them all ?


@tcit well, maybe at least they could reuse some good practices (like proper signing of binaries with GPG)

@tcit For ex, requirement files could include SHAsums of the deps (for some versions).
Devs could still override checksum checks and use newer deps if they want for testing.

We do this in HaikuPorts recipes:

@mmu_man NodeJS modules already have a sha512 hash integrity check. Packagist seems to provide the same thing.

@tcit hmm yes but where does it get the hashes? if it's from the same source…

Inscrivez-vous pour prendre part à la conversation
Mastodon G3L

Cette instance Mastodon est gérée par l'association G3L. Merci de lire les conditions générales d'utilisation avant de vous inscrire.