Remix.run Logo
cygx an hour ago

Why can't you store a (possibly shallow) clone of the repository in the "package" registry?

Yes, that would be an option.

As to your question, you generally want to version control input files, but distribute the generated artifacts. Some possible scenarios would be documentation, data tables in source or binary form, generated code including maybe even configure scripts if you cannot avoid it (though if I had to 'vendor' 3rdparty code that uses autotools, I think I probably would just unpack a tarball and commit the relevant artifacts).

g-b-r 27 minutes ago | parent [-]

If you distribute generated artifacts you're not really distributing the source (and thus xz can happen)

Even for documentation, you'd think it would be harmless to generate it, but it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files

cygx 7 minutes ago | parent [-]

it's far from a given that the tools (e.g. browsers) used to read it are safe from malicious documentation files

Generated HTML files are potentially easier to audit than the scripts/toolchains used to generate them on an end user's machine if you do not pre-generate them.

Off the top of my head, other things I've done is committing RELAX NG *.rnc files, but shipping *.rng files, or generating C header files for various types of data (think `xxd -i` in case of binary files, but also just large chunks of plain text that gets wrapped into a C string).