undefined | Better HN

0 pointsrabidrat8y ago0 comments

A public package manager and a public source code management tool, both of which are outside of your control. You should be able to deploy from a local [verified and audited] cache of your dependencies.

0 comments

3 comments · 1 top-level

zbentley8y ago· 2 in thread

That's a good goal to strive for, but isn't necessary or practical for everyone. Maintaining local/hosted artifact caches, verifying them, and auditing them is a big hassle, and unless you make something (e.g. fintech, healthtech) that might need such an audit or emergency release, might not be worth the trouble.

Itty bitty company making a social website on a shoestring budget/runway with very few developers? Might just be worth postponing a release a day or two if NPM or GitHub are having issues.

not_kurt_godel8y ago

virtualenv makes it trivial. It's not like it's strictly enterprise-grade tech.

zbentley8y ago

How does vrtualenv make maintaining, auditing, and using a local mirror of dependencies trivial? Seems to me I can download a poisoned package into a venv cache just as easily as I can download it with wget, and unless I take the time to check, I’m none the wiser either way.

1 more reply

j / k navigate · click thread line to collapse