undefined | Better HN

0 pointszrail5mo ago0 comments

The problem, as with every package manager, is transitive dependencies. It's all well and good to set up direct dependencies to only pull from git repositories, but bundler still needs a way to resolve those gems' dependencies.

You could pre-resolve every dependency in your chain to a git repository, even to a fork under your own control, but that will end up being a maintenance nightmare.

0 comments

Imustaskforhelp5mo ago

Can't a middle compromise happen as it happens in something like golang?

Can some vps/serverless provider not do this like fly.io as an recent example with kurt got got? or hetzner?

I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall

zrailOP5mo ago

Retrofitting Go's dependency model into Ruby is not trivial. Go has used full URLs for dependencies from the jump, making a central package repository irrelevant. Ruby doesn't have that. At best you might have a source code URL in the gem source that you can access from a gem server, but that doesn't really anything. Someone still has to provide the index.

phoronixrly5mo ago

> I think that golang's model can actually be sort of cheaper/ more cost effective for servers as compared to how ruby might be doing it right now and so cheaper might mean that a new non profit can be created which can work on less money/outside funding/drama overall

It also means no code signing and the natural capture of most of the ecosystem by Microsoft (due to devs preferring to host their code on github, a bundler that lacks package hosting will be entirely at the whim of MS)

Imustaskforhelp5mo ago

If you are worried about github/MS capture... Then my suggestion is to just create mirrors of golang projects you like on gitlab/codeberg

But this is so so much better than having arko or somebody having your PII.

Like I hate github but I am pretty sure that people there aren't actively looking for my PII when I download go projects or that a single person couldn't really access it I suppose

I am not really familiar but if I remember the heads project related to coreboot isn't there a way to sign your github repository with your ssh key or something related (I can be wrong, I usually am)

Like I know it could be a pain in the ass but if you are so worried about github, what if we could optionally have everything be gpg'd via ssh keys & the project could only work if someone shares a ssh key

And something like rubygems could just have a name <-> github mapping <-> gpg mapping and it might require some additional software right now but I am just giving ideas maybe for new languages as well I am not sure

What are your thoughts? And what do you think the ideal way could be. I have heard from many people (like primagen) that golang is the best package model and I also resonate with that statement but yeah github is a bit of menace/threat to open source

All the more reason to use something like codeberg!

j / k navigate · click thread line to collapse

0 comments

Imustaskforhelp5mo ago

Can't a middle compromise happen as it happens in something like golang?

Can some vps/serverless provider not do this like fly.io as an recent example with kurt got got? or hetzner?

zrailOP5mo ago

phoronixrly5mo ago

Imustaskforhelp5mo ago

If you are worried about github/MS capture... Then my suggestion is to just create mirrors of golang projects you like on gitlab/codeberg

But this is so so much better than having arko or somebody having your PII.

Like I hate github but I am pretty sure that people there aren't actively looking for my PII when I download go projects or that a single person couldn't really access it I suppose

I am not really familiar but if I remember the heads project related to coreboot isn't there a way to sign your github repository with your ssh key or something related (I can be wrong, I usually am)

All the more reason to use something like codeberg!

j / k navigate · click thread line to collapse