[pitaj]

URL imports is a terrible idea. There's a reason we have actually package managers and repositories instead of installing from GitHub.

Properly made and run package managers are more secure and offer a better developer experience than importing by URL.

[ricardobeat]

Which package managers are properly made, and how are they more secure? As far as I'm aware npm's security model is shared with almost all of them.

[erik_seaberg]

RPM and .deb packages have GPG signatures and lists of trusted maintainers. NPM doesn't have that; https://medium.com/redpoint/introducing-pkgsign-package-sign... looks like a very early start on a big project that could fix this if it catches on.

[eptcyka]

Cargo is far better in this regard, for one.

[Arnavion]

Cargo packages can also execute arbitrary code at compile-time through build scripts, which run with full permissions of the original `cargo` command including filesystem and network access.

[msoad]

> package managers are more secure

How?