Packages are typically different once published than they were inside their original repositories. Call it transpilation, build, compilation, packaging, etc, most popular projects require some level of support for dynamic code execution before reaching their usable state.
As much as I'd have liked Git to be a viable option compared to centralized registries, last couple of years demonstrated running arbitrary commands during install is too much of a risk for it to work at scale.
AlotOfReading•2m ago
...most popular projects require some level of support for dynamic code execution before reaching their usable state.
None of those examples require arbitrary code execution. You can specify that stuff declaratively, like Bazel forces you to do. I don't think that package managers should be doing the job of a build system though.
tikkabhuna•17m ago
There’s no perfect solution here. Publishing to a separate registry can survive a Git repo rename, migration or deletion. Locking into a Git host seems undesirable. By separating VCS and registry they can offer different feature sets. There’s also nothing stopping someone from publishing to multiple registries.
arcatek•25m ago
As much as I'd have liked Git to be a viable option compared to centralized registries, last couple of years demonstrated running arbitrary commands during install is too much of a risk for it to work at scale.
AlotOfReading•2m ago