undefined | Better HN

0 pointsKlathmon8y ago0 comments

>If npm packages used a Github-style "author/package" format, name collision would never be an issue again.

They have that, and many are finally starting to take advantage of it (with babel being the most prominent with their latest version)

But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

0 comments

ohitsdom8y ago

It does fix the problem, although consumers of the package need to first verify they trust the original author.

For example, if Google published "Google/polymer", dependents would be unaffected if a new package was published from "badguy/polymer". I think you're saying it's still not fixed because someone could register the Google author name before the real Google gets it, but that is a understood problem across every website.

slig8y ago

> (if someone takes "google\" there are going to be some very upset californians)

Not a problem at all. They will just get the name by force. It already happened before, google "npm kik".

KlathmonOP8y ago

Yeah, but it's still a "problem" in that it technically doesn't change anything from the current system.

croon8y ago

The issue isn't people assuming that every alias on the internet is truthful, very few people (hopefully) do.

The problem is a package URI being reused without me realizing, and that problem would be solved.

krapp8y ago

>But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

The idea is that the author name maps to an actual repo and should serve as a second layer of authentication outside of NPM's control. The namespace should belong to the repository owner.

No one should be able to "take" google/ since the actual Google already owns github.com/google.

TomMarius8y ago

That would make a connection between Github and NPM. What if I want to use Bitbucket?

krapp8y ago

I'm suggesting NPM integrate Github's authentication API into their publishing process, to validate that the author owns a namespace if NPM doesn't already do that (I don't know, I don't use NPM.) If Bitbucket allows the same, then that's OK. The point is to have authors control namespaces, and NPM control package names but only validate namespaces. If namespaces are just another string that NPM controls and that can be handed out, revoked or taken over like package names then using them doesn't solve the intended problem at all.

Since NPM uses a centralized registry, though, some limitations would have to be imposed, and allowing multiple sources would mean allowing for conflicts between github:google/package and bitbucket:google/package. Ideally, namespaces should be unique and canonical, and the simplest way to accomplish that is just to allow publishing to a single source.

tylerhou8y ago

Keep a git mirror of your Bitbucket repository on GitHub.

j / k navigate · click thread line to collapse

0 comments

ohitsdom8y ago

It does fix the problem, although consumers of the package need to first verify they trust the original author.

slig8y ago

> (if someone takes "google\" there are going to be some very upset californians)

Not a problem at all. They will just get the name by force. It already happened before, google "npm kik".

KlathmonOP8y ago

Yeah, but it's still a "problem" in that it technically doesn't change anything from the current system.

croon8y ago

The issue isn't people assuming that every alias on the internet is truthful, very few people (hopefully) do.

The problem is a package URI being reused without me realizing, and that problem would be solved.

krapp8y ago

>But this doesn't completely "fix" the problem, since the exact same conflicts can still happen with the "author" name (if someone takes "google\" there are going to be some very upset californians)

The idea is that the author name maps to an actual repo and should serve as a second layer of authentication outside of NPM's control. The namespace should belong to the repository owner.

No one should be able to "take" google/ since the actual Google already owns github.com/google.

TomMarius8y ago

That would make a connection between Github and NPM. What if I want to use Bitbucket?

krapp8y ago

tylerhou8y ago

Keep a git mirror of your Bitbucket repository on GitHub.

j / k navigate · click thread line to collapse