I think I remember discussing this briefly in #rust with you. It's clearly not the case that "everyone understands" how these package managers actually work, but I'd rather see the reality become more obvious than give up and shackle these package ecosystems to Microsoft even harder than they already are.
NPM, Cargo, and the like are basically like the people saving a link to a random Wikipedia article, and then making the shocked Pikachu face when their presentation in front of the boss shows a defaced article with the Goatse picture in the middle of it.
There's a solution to this problem, of course. The Wikipedia team provides the tools you need! You can link to a specific revision of an article so there are no surprises. What you saw when you reviewed the content is what you get when you project it in the board room, or send out that mass email that includes your boss.
Similarly the solution for crates.io could be as simple as having hyperlinks go only to specific commit hashes. And then require that the crate content match the hash.
These days I hear a lot of developers complain that they "Just want to...". I always complete the sentence with "... ignore my responsibilities."
Package managers are in the same camp. "I just want to distribute packages.". Okay, sure, but your responsibility is to do it so that downstream consumers fall into the pit of success and aren't burned by supply-chain attacks.
You can argue, or you can start working on catching up to the encyclopedia people that came from a background in porn hosting and start taking security seriously.
> require that the crate content match the [commit] hash.
If you want to audit a crate, you don't need to require that it "matches" anything else, you can just audit the crate. Download the source tarball from the same URL that Cargo would and audit it. I think the problem with crates.io is that it just gives you the GitHub link (possibly misleading - bad!) and doesn't just give you a button to download or browse the tarball that Cargo actually uses (what you see is what you get).
Defining "matches" and enforcing it against a remote Git repository is non-trivial. It gets worse with NPM because those packages are sometimes the output of the Typescript compiler or Webpack, so now you need reproducible builds (a huge task) and a CI infrastructure to validate them. Nuget distributes .dll files, which often aren't even open source. There's no hope to enforce a correspondence with a Git repository there. A developer who wants to audit a Nuget package has no choice but to decompile it.
NPM clearly has a malware problem, and Cargo will eventually have one because it really wants to be like NPM. I'm not convinced that what you propose is the solution.
I get it. My mistake. Page 537 paragraph 7. I must have just missed it on the first reading of the contract.
I won't make that particular mistake again.
But just like the thousands (and thousands!) of people that are befuddled as to why Rust's console output is slower than Python, it's a pit of failure that others fill fall into.
The situation is unfortunate, but the grievance is legitimate. I regularly have to provide tech support to users when shell scripts fail with a terse "Permission denied" trying to invoke Python because the Windows Store launcher is higher on %PATH% than the Python that they just installed.
It seems like in practice the biggest problem is "it got deleted", and everything else is about either preventing others from deleting your stuff or preventing yourself from deleting it out of laziness or frustration.
Deploying a web site with (S)FTP works as well as it ever did... and is just as obscure to non-technical people as it ever was. Ease of use means loss of control.
It'd be a cool challenge to build something so simple that even a non-tech person could use which allows them to maintain control and ownership. Any good examples of tech in general that is highly approachable like this? Even things like WordPress are too complicated for most - maybe if not self-hosted it's not so difficult, but still falls short in terms of being complex and not just simple text or html (at the most)..
It makes zero sense to specify a byte order for an encoding in which it is irrelevant. It only persists because of a lazy vendor that can't encode Unicode correctly.
It would have been nice if every well-encoded Unicode document started with BOM and every legacy doc did not, instead of having to guess whether a doc is more likely UTF-8 or Latin-1.
Then concatenating to valid Unicode documents would no longer be valid Unicode. That is bad.
And ASCII text would no longer be a valid UTF-8 encoded Unicode document. That is bad.
And even when everything has finally switched to UTF-8 every tool ever will still need to handle the BOM. That is bad.
Guessing between valid UTF-8 and Latin-1 is only ever ambiguous when there are multiple non-ASCII characters in a row and all those sequences are made up of a lead byte with the correct number of trailing bytes. How often is that a problem for you in practice?
This is the case. With an addon that deletes most but not all homepage items or sidebar recommendations, YouTube does some noticeable spinning trying to fill the space which keeps getting emptied.
In this scenario you'd be losing all your backlogs and user registrations anyways, so why re-use the existing client with a stapled-on redirector over switching to something you can actually deploy yourself?
The client is actually pretty good, so we could continue using that and I believe that for popular discords with lots of fans it wouldn't be the end of the world to have them re-register if everyone knew the alternative is losing the community.
I recently ported an early-2000s 2D game to WebAssembly and old Asyncify was too clunky and the Emterpreter was too slow to be useful. To get things working comfortably I ended up porting the game loops to use Clang's support for the C++ coroutines TS, with a simple scheduler that yields control back to the browser after every screen flip. I will have to see if this new Asyncify can do any better.
> To get things working comfortably I ended up porting the game loops to use Clang's support for the C++ coroutines TS, with a simple scheduler that yields control back to the browser after every screen flip.
Oh nice, is this code (or a write-up) available anywhere?
A couple of years ago I was working on porting Wesnoth and got it working...except it was too slow with the Emterpreter.
I'll try this new asyncify, but your approach sounds like an interesting backup if I were to resurrect my efforts.
