Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
SideburnsOfDoom 3 days ago

> That's not package manager problem that's registry problem

I do not think that the two are cleanly separable. They are client and server ends of the same system.

And I think my point is that I view it as more of a server (registry) and governance problem than the OP author does.

Despite the fact that my employer also has an internal package feed, the security of nuget.org and the central public feed is intrinsic to the security of the whole system.

Nuget was closer to the NPM end of the spectrum, but has tightened up considerably over time. Particularly the "Package ID Prefix Reservations" feature tells me that package names that start with certain words are owned by the relevant entity, be it "System." or "Azure." from Microsoft, or "AWS" from Amazon.

This is important as it's used to distribute SDKs and optional but standard library components and updates.

There is certainly junk on there, but not much load-bearing junk.

ozim 3 days ago | parent [-]

Article is discussing „package manager” as generic concept.

My argument was that this concept is not the problem.

Problem is in governance of NPM while NuGet or Maven are stricter and therefore it is registry governance problem.

But on the other hand NPM is much more popular than any other registry.

SideburnsOfDoom 3 days ago | parent [-]

> Article is discussing „package manager” as generic concept. My argument was that this concept is not the problem. Problem is in governance of NPM

Then we're in agreement that the article's author has the wrong end of the stick, by focusing on the client end of the file transfer connection.

gingerBill 3 days ago | parent [-]

Huh? I am not saying the repositories have (or should have) no responsibility, but you are also responsible for your own actions.

The popularity of such repositories and package managers are due to users of them.

And the concepts are trivially separable in my opinion. A package manager uses a repo of packages to download from. You don't need a package manager to use a repo. And a package manager could be just local to your machine and thus not need an external repo either. I know in practice the two are combined but that doesn't mean they are not distinct concepts.