Hacker News new | ask | show | jobs
by tonsky 314 days ago
> Lockfiles are essential for somewhat reproducible builds.

No they are not. Fully reproducible builds have existed without lockfiles for decades
3 comments
its-summertime 314 days ago
of distros, they usually refer to an upstream by hash

https://src.fedoraproject.org/rpms/conky/blob/rawhide/f/sour...

also of flathub

https://github.com/flathub/com.belmoussaoui.ashpd.demo/blob/...

"they are not lockfiles!" is a debatable separate topic, but for a wider disconnected ecosystem of sources, you can't really rely on versions being useful for reproducibility

link
andix 314 days ago
> they usually refer to an upstream by hash

exactly the same thing as a lockfile

link
andix 314 days ago
Sure, without package managers.

It's also not about fully reproducible builds, it's about a tradeoff to get modern package manger (npm, cargo, ...) experience and also somewhat reproducible builds.

link
chriswarbo 314 days ago
> modern package manger (npm, cargo, ...) experience

Lol, the word "modern" has truly lost all meaning. Your list of "modern package managers" seems to coincide with a list of legacy tooling I wrote four years ago! https://news.ycombinator.com/item?id=29459209

link
pluto_modadic 314 days ago
...source?

show me one "decades old build" of a major project that isn't based on 1) git hashes 2) fixed semver URLs or 3) exact semver in general.

link