March 23, 2016
Tons of other projects around the world depending on his packages broke as
a result of this. The NPM project responded by un-un-publishing the packages:
While you can say that the original author was not very nice to do this as
a protest, and without warning, I think it highlights a larger underlying
problems, in not just NPM but also other packaging systems:
- We’re currently relying on the trustworthiness and ethics of many package
- Package repositories are a critical piece of our infrastructure.
Both are single points of failure for a lot of projects, except the few
that actually commit their
vendor, etc directories to
their github repository.
Another interesting thing is that package authors can not just un-publish
their packages, they can even modify already-released packages.
I think this is a very weak link in our infrastructure. What we need is a
packaging system that is:
- Immutable / Append-only
- Distributed, anyone should be able to run a mirror.
Append-only means that once you publish a package, it can never be changed or
unpublished. It can’t be censored or taken down. This puts the control
back in the hands of the user, and we’re no longer at the mercy of package
developers or centralized repositories.
Original URL: http://feedproxy.google.com/~r/feedsapi/BwPx/~3/PBBpcafdwjc/