One thing she mentions in the talk is that by distributing the cost of maintaining infrastructure across the community, we can create more sustainable systems than centralized providers can. I...
One thing she mentions in the talk is that by distributing the cost of maintaining infrastructure across the community, we can create more sustainable systems than centralized providers can. I think that's wise, but I'm not sure if even federation gets us far enough.
For instance, I would expect that default or major providers would become rather centralized, since it's much easier as a dev to offload the task of maintaining a server to someone else. Most people don't want to host, update, and generally maintain a server just to publish software. And even if they did, this means that if Dominic Tarr's package becomes super important for the ecosystem, his node will get hit with a lot more requests, which is expensive. This is true even if there is some mirroring to other servers (like entropic will have), because ultimately, his is canonical. Finally, I don't see anything on their project page about verifying the code. If servers will duplicate dependencies, how can you as a user trust these servers to not poison your dependency code? If it is going to be content-addressed, like they claim, how is that verified? It looks currently like it is actually location addressed, given the dependency schema.
In contrast to a lot of these issues, I personally like the idea of a package manager built on a P2P system like IPFS or Dat, which would provide even more decentralization and mirroring, while also providing cryptographic proof of authorship. You can still have a server pin your resource, but then any other host or user who mirrors it shares in the burden of providing that resource. The addresses tend to be significantly less readable than DNS, but we could use a solution like the Beaker Browser uses, and bootstrap off of DNS by checking /.well-known/.
The only projects I know along these lines are gx and dat-installer (which, granted, is an app store not a package manager). These are not endorsements, just a list. I'd be excited to hear if anyone knew of any other similar resources!
Yeah, I know that the Debian project has historically had a bit of a struggle to distribute load across all of its mirrors. That's why I am concerned. That's a good point! I had forgotten about...
I could see a small number of large companies being the most-used hosts.
Yeah, I know that the Debian project has historically had a bit of a struggle to distribute load across all of its mirrors. That's why I am concerned.
I'm guessing cryptographic security is going to be included, because she mentions code signing in the video as an example of what npm is not incentivized to proactively provide.
That's a good point! I had forgotten about that. I'd be interested in seeing how they solve the key passing/validation problem while still being user friendly. Just because they're community run does not mean they'll suddenly have good solutions to all of these problems.
This issue on the entropic repo has some good discussion about IPFS and Dat.
Thanks! I hadn't seen that! I'm glad people are talking about it. It's too bad neither of those projects is really ready yet. I've been watching them in anticipation for a long time. I still think it might be worth exploring one of those projects anyway, since it's one of the best ways I know to encourage sharing network resources.
I'm not really a JS programmer, but I'll keep watching this project!
One thing she mentions in the talk is that by distributing the cost of maintaining infrastructure across the community, we can create more sustainable systems than centralized providers can. I think that's wise, but I'm not sure if even federation gets us far enough.
For instance, I would expect that default or major providers would become rather centralized, since it's much easier as a dev to offload the task of maintaining a server to someone else. Most people don't want to host, update, and generally maintain a server just to publish software. And even if they did, this means that if Dominic Tarr's package becomes super important for the ecosystem, his node will get hit with a lot more requests, which is expensive. This is true even if there is some mirroring to other servers (like entropic will have), because ultimately, his is canonical. Finally, I don't see anything on their project page about verifying the code. If servers will duplicate dependencies, how can you as a user trust these servers to not poison your dependency code? If it is going to be content-addressed, like they claim, how is that verified? It looks currently like it is actually location addressed, given the dependency schema.
In contrast to a lot of these issues, I personally like the idea of a package manager built on a P2P system like IPFS or Dat, which would provide even more decentralization and mirroring, while also providing cryptographic proof of authorship. You can still have a server pin your resource, but then any other host or user who mirrors it shares in the burden of providing that resource. The addresses tend to be significantly less readable than DNS, but we could use a solution like the Beaker Browser uses, and bootstrap off of DNS by checking
/.well-known/.The only projects I know along these lines are gx and dat-installer (which, granted, is an app store not a package manager). These are not endorsements, just a list. I'd be excited to hear if anyone knew of any other similar resources!
Yeah, I know that the Debian project has historically had a bit of a struggle to distribute load across all of its mirrors. That's why I am concerned.
That's a good point! I had forgotten about that. I'd be interested in seeing how they solve the key passing/validation problem while still being user friendly. Just because they're community run does not mean they'll suddenly have good solutions to all of these problems.
Thanks! I hadn't seen that! I'm glad people are talking about it. It's too bad neither of those projects is really ready yet. I've been watching them in anticipation for a long time. I still think it might be worth exploring one of those projects anyway, since it's one of the best ways I know to encourage sharing network resources.
I'm not really a JS programmer, but I'll keep watching this project!