@bekopharm
Exactly.

(Google, boo! 😈)

@RyunoKi Google boo whatever. Try releasing a Chrome extension without :P

(Or an Android app).

@bekopharm
Pah!

Why would I want to write for Chrome?
That doesn't help Firefox at all.

@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi Personally I very much prefer to live in a world where there are two layers in the distribution of software (libraries).

One where everybody can upload, and I as a moderately competent software person can go to discover new things, review them (both as code and as maintainership situation), decide whether or not I want to trust them.

And another where I as a tired person who needs the software|library *now* can go and get things (and trust automatic updates) knowing that somebody has already given them at least a bit of review, that there are automatic systems in place to keep checking that it keeps working, that there are procedure in place to substitute the people involved in this review if they disappear, if there are security patches I will get them applied without having to upgrade to a completely new version at a random time and basically all the things that I would have to do personally to safely use in production code taken directly from the first layer.

@valhalla @clacke @federico3 @bekopharm @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi
The second layer is called "distros" :P

@valhalla @clacke @federico3 @bekopharm @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi also, since with the first layer you have to re-audit with every update, you may as well vendor that dependency (as in, put a copy of a specific version in your repo), so arguably github could be enough as the first layer

@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi Honestly having a central point for all things python which is just little more than a directory feels nicer than the alternative of having to go through github, condemning to oblivion everybody who wants to host elsewhere (including self-host).

Some kind of distributed directory would be even better, but I'm not the person who will write one any time soon :D

@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi Also, my personal choice rather than vendoring would be to package and upload for debian¹: 90+% of the work has already been done, I might as well do the last bit and make my work useful for everybody else.

¹ because that's what I use and what runs on production. substitute with fedora, arch, whatever else may apply.

@valhalla
Hard to do with multiple projects on the same machine.

Nor using Docker or VMs.

(Anybody want to stop getting notified?)
@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150

@clacke @federico3 @bekopharm @wolf480pl @Sandra @lrvick @technicallypossible @ruffni @Johann150 @RyunoKi exactly!

@bekopharm @RyunoKi @Johann150 awww yeh the rust crate saga begins, npm 2 tranny boogaloo

@yes @Johann150 @RyunoKi sorry, failed to parse that but yes, that's a very common thing in npm too due to it's popularity.

@bekopharm @Johann150 @RyunoKi cargo and rust made the same mistakes the nodejs ecosystem did early on and they are about to learn just how dire the consequences are when combined with normalizing vendored c deps, version pinning and being a compiled language. people may actually die from bugs in old rust power builds of software. an ecosystem of lies and false promises is about to start imploding lok

@bekopharm
That's a different attack vector.

The above is turning a benevolent package into a malicious one while there is seemingly no change in authorship (same email address)
@Johann150