[carlmr]

IMO C/C++ is not much better, sure, no central package management system, but then people rewrite everything because it's too hard to use a dependency. Now if you do want to use one of the 1000 rewrites of a library, you'll have a lot more checking to do, and integration is still painful.

Painless package management is a good thing. Central package repositories without any checking isn't. You don't have to throw away the good because of the bad.

[bluGill]

I have that in C++: we wrote our own in house package manager. Painless for any package that has passed our review, but since it is our manager we have enforced rules that you need to pass before you can get a new package in thus ensuring it is hard to use something that hasn't been through review.

I'm looking at rust, and that it doesn't work well with our package manager (and our rules for review) is one of the big negatives!

Note, if you want to do the above just use Conan. We wrote our package manager before Conan existed, and it isn't worth replacing, but it isn't worth maintaining our own. What is important is that you can enforce your review rules in the package manager not what the package manager is.

[lolinder]

> Painless package management is a good thing. Central package repositories without any checking isn't.

There's a reason why these things come hand in hand, though. If the package management is so painless that everyone is creating packages, then who is going to pay for the thoroughly checked central repository? And if you can't fund a central repository, how do you get package management to be painless?

The balance that most language ecosystems seem to land on is painless package management by way of free-for-all.

[carlmr]

>And if you can't fund a central repository, how do you get package management to be painless?

You could host your own package server with your own packages, and have the painless package manager retrieve these painlessly.

Of course we're in this situation because people want to see the painlessness with what other people built. But other people includes malicious actors every once in a while.