Packages are typically different once published than they were inside their original repositories. Call it transpilation, build, compilation, packaging, etc, most popular projects require some level of support for dynamic code execution before reaching their usable state.
As much as I'd have liked Git to be a viable option compared to centralized registries, last couple of years demonstrated running arbitrary commands during install is too much of a risk for it to work at scale.
AlotOfReading•35m ago
...most popular projects require some level of support for dynamic code execution before reaching their usable state.
None of your examples require arbitrary script execution. You can specify them all declaratively, like Bazel forces you to do. I don't think that package managers should be doing the job of a build system though.
tikkabhuna•49m ago
There’s no perfect solution here. Publishing to a separate registry can survive a Git repo rename, migration or deletion. Locking into a Git host seems undesirable. By separating VCS and registry they can offer different feature sets. There’s also nothing stopping someone from publishing to multiple registries.
klntsky•14m ago
The almost perfect solution is Nix
iririririr•7m ago
if you mean nix the state declaration, it is a ilusion. when you have packge for debian 12... you just install it. when you have debian 13, you need the package for debian 13 and there's no way around it. nix lies that you don't have to worry about all that. which is only as true as is true with packages. if you can replace -12 with -13 in a non nix setup, your nix "package x" will still work. otherwise you will have to deal with it, just with more layers.
if you mean nixos, that's just starting yet another distro maintenance issue from scratch
kibwen•18m ago
Maybe everyone else is too young to remember left-pad, but in the wake of left-pad everyone learned that one of the primary selling points of dedicated dependency repositories is that they can refuse to support "unpublishing" a dependency, which is not a guarantee that Github (or any other popular forge) makes.
arcatek•57m ago
As much as I'd have liked Git to be a viable option compared to centralized registries, last couple of years demonstrated running arbitrary commands during install is too much of a risk for it to work at scale.
AlotOfReading•35m ago