Hacker News new | ask | show | jobs
by OkayPhysicist 34 days ago
The missing piece there, that would be a real value-add over normal package repositories, is that functions can be small enough to simply be done. Function gets marked as such, it can no longer be updated, thus eliminating the risk of supply chain attacks and their ilk. IMO, most packages I actually use, with the exception of web frameworks, ought to fall into this category. My JSON parser should never update. My Knapsack-problem solver should never update.

These are problems that are hairy enough that I don't want to write my own solution, yet tractable enough that there ought to be a solution that never needs to be touched again. Maybe someone finds a better way of doing it, but the way they're currently doing it will never be wrong.
1 comments
yuriks 34 days ago
In what ways do version pining/lockfiles not solve this problem?
link
OkayPhysicist 34 days ago
Duplicate transitive dependencies throw a wrench in the lockfiles/pinning approach, since most package managers don't make it easy to install multiple versions of the same package (operating under the assumption that packages are large).

There's also a meaningful message difference when you look at a package page that says it's "done" as opposed "dead".

link