I agree that the open source package dependency situation in many popular languages and ecosystems has gotten way out of hand. Well, at least my addiction to reinventing almost every wheel myself and self-hosting my own cobbled together infrastructure which has permanently afflicted me with chronic not-invented-here syndrome aren’t feeling like such a crippling disability anymore. Maybe it’s not always such a bad thing in every situation.

Governments need to stop giving money to corporations and give it to the people who deserve it.

3ooo words and it’s all about neu-packages and the methods through which they’re all rife with supply-chain attacks anyway. Not a proper packaging or secure delivery and distribution model in sight.

The ask

That’s how I know this guy isn’t serious, and may not recognize proper packaging if it cut him off in traffic.

When app people try to be OS people, it’s a bad day. Enough of your cargo, your composer, and definitely enough NPM. No more pips. No more cpans. Deliver your shit properly - validation and caching is already established, if you do it right, and probably BitTorrent distro too - and just forget this paper ever existed.

This is a fucking solved problem. Just the Lost Boys werent paying attention before the mentors were gone.

He lost me at you didn’t cache everything. Every fortune100 company I have worked at does indeed scan and cache everything it has approved for use