| ▲ | nenenejej 12 hours ago | ||||||||||||||||
The solution is to design package managers around the uniform resource identifier: a way to locate online assets that is mostly (ignoring DNS) decentralised and better than having one org own all the packages. | |||||||||||||||||
| ▲ | notatallshaw 11 hours ago | parent | next [-] | ||||||||||||||||
Taking PyPI as a central place of packages, it is known that their bandwidth bill would be $1.8+M per month (https://dustingram.com/articles/2021/04/14/powering-the-pyth...) were it not for Fastly giving them a 100% discount. Are there any reliable decentralized package distribution systems operating at within 2 orders of magnitude of that scale? How do they handle administrative issues such as malicious packages or name squatting? Standards updates? Enforcement of correct metadata? And all the other common things package indexes need to handle. I'm clearly skeptical, but would be very interested in any real world success stories. | |||||||||||||||||
| |||||||||||||||||
| ▲ | cortesoft 12 hours ago | parent | prev | next [-] | ||||||||||||||||
You can absolutely use bundler and gem without touching the rubygems servers. You can point to an alternate rubygems host (including one you run yourself), point to a git repo, or a local gem file source | |||||||||||||||||
| ▲ | rmoriz 12 hours ago | parent | prev | next [-] | ||||||||||||||||
This resembles the "monolith" vs "micro-services" discussion. If you spread the packages over thousands of domains, hosts, providers, reliability will be horrible. And it's uncontrollable. In theory, RubyGems could run code analyzers on all uploads to detected malware. Good look if you just haven an index of repositories/packages hosted elsewhere. | |||||||||||||||||
| |||||||||||||||||
| ▲ | hosh 12 hours ago | parent | prev [-] | ||||||||||||||||
That sounds like a neat idea. Do you have a proposal for that? Would it be compatible with specifying urls (such as git repos)? | |||||||||||||||||
| |||||||||||||||||