Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
JRFC 19 - Let's Stop Installing Packages #19
Today's paradigm includes installing software. It's really silly, having to go find a particular package, and then download it manually. Our package managers should just make the code available. If it can be found in the registry, it should be importable in the code.
Easy, mount the registry:
Or, in my world:
Security is not about installing software X at time Y, but about checking integrity (hash the code) and authenticity (sign the code). This could be done on import, every single time you run the code, which would be much safer than just hoping all your files are the same as when you last looked at them. You did look at all the modules you imported, right? You are sure that
Not at all, things will be cached locally, and just make sure things stay local, why not pin them?
Basically, make your "mounted registry" save things locally that you're going to use regularly. (IPFS will do this for you).
And you should! Lock your local files to exactly the modules you want:
Below, it could easily be
@mafintosh where match here means resolve something like
@mafintosh we get subdependencies for free.
content-addressed deduplication :) !
Why would this only be at that layer?
If you want to go that route, create a Linux distro that mounts IPFS early enough in the chain, then symlink all the normal filenames to IPNS addresses that always have the latest released version. Instant always up to date system.