Package managers should be immutable, distributed and decentralized

March 23, 2016

I just came across an interesting post via Hacker News, from an
author of several hundred NPM packages (some of which quite popular) that
just removed all of his packages from NPM.

Tons of other projects around the world depending on his packages broke as
a result of this. The NPM project responded by un-un-publishing the packages:

While you can say that the original author was not very nice to do this as
a protest, and without warning, I think it highlights a larger underlying
problems, in not just NPM but also other packaging systems:

  • We’re currently relying on the trustworthiness and ethics of many package
  • Package repositories are a critical piece of our infrastructure.

Both are single points of failure for a lot of projects, except the few
that actually commit their node_modules, vendor, etc directories to
their github repository.

Another interesting thing is that package authors can not just un-publish
their packages, they can even modify already-released packages.

I think this is a very weak link in our infrastructure. What we need is a
packaging system that is:

  • Immutable / Append-only
  • Decentralized
  • Distributed, anyone should be able to run a mirror.

Append-only means that once you publish a package, it can never be changed or
unpublished. It can’t be censored or taken down. This puts the control
back in the hands of the user, and we’re no longer at the mercy of package
developers or centralized repositories.

Original URL:

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: