Remember all those issues with npm ? The Java ecosystem has a different kind of those https://blog.autsoft.hu/a-confusing-dependency/
@tcit oh my!
Well, npm, java… but it's valid for all those languages which assume it's a good idea to bypass the OS package management.
@mmu_man That a very good point.
@tcit For ex, requirement files could include SHAsums of the deps (for some versions).
Devs could still override checksum checks and use newer deps if they want for testing.
We do this in HaikuPorts recipes:
@mmu_man NodeJS modules already have a sha512 hash integrity check. Packagist seems to provide the same thing.
@tcit hmm yes but where does it get the hashes? if it's from the same source…