About distro and learning from npm

Recently something happened in the npm community

you can follow the HN discussion here but really it’s bad

In the comments you can see that for example

Since these libs are now baked into various package.json configuration files (some with 10s of thousands of installs per month, “left-pad” with 2.5M/month), meaning a malicious actor could publish a new patch version bump (for every major and minor version combination) of these libs and ship whatever they want to future npm builds.

well… that lib “left-pad” with 2.5M install per month, it gives this

and

which also illustrate that other problem

Here how I plan to solve that kind of problem with distro

  • have a main repository on distro.as3lang.org as “default”
  • be able to publish your own repository
    eg. the sources of distro.as3lang.org server API will be available on github
  • allow to use optional, or even private, non-default repository
    a bit like the ubuntu unofficial ppa repositories

with those simple rules

  • repos available on distro.as3lang.org can only be “public repo”
    eg. you can not have a private repo or closed sources published
    to the main distribution channel
  • when you build locally a “private repo” can override a “public repo”
    • a public repo that have been taken down can have “alternatives”
      either public or private or whatever
    • user choice trump main repositories
      your local distro config can override everything the way you want
      eg. even if an alternative does not exists you can create one and be “unstuck”

ideally be able also to

  • clone a public repo to a local repo
    eg. grab the JSON structure and the different versions and make them all local
    so even if distro.as3lang.org is offline it can build
  • clone a public repo to another online repo

goals are

  • not be 100% dependent on an online main repository
    it should work if distro.as3lang.org is offline
  • not be blindly dependent on dependencies
    a user should hard copy all deps to his local repo
    but it should be easy to “clone” those deps to the local repo
  • config driven
    some ppl would always want the up-to-date deps from the main online repo
    some other ppl want to be able to build offline / from private
    some other ppl would want to override some stuff