Conversation

When the left-pad debacle happened, I feared that people would conclude “dependencies are bad”. (Instead of the logical conclusion, which is “don’t allow dependencies to be deleted from package registries.”) That prediction turned out to be true. :(

Replying to

Not only deletion but more like immutability, and that is the problem for me of using github as the source of your dependency

kornel@mastodon.social

Replying to

and

In Cargo you can add `rev=hash` to git dependencies (and it's in Cargo.lock even if you don't)

Replying to

and

It's worth keeping in mind that Git hashes and signed commits / tags entirely depend on sha1 though. It's increasingly a bad idea to depend on any of it for security. Unfortunately, Git doesn't offer a solution and sources really need to be distributed in signed archive files.

Replying to

It means having a direct dependency on Git for fetching sources is problematic. Even if it ends up providing the option of a secure hash, it's not going to be consistently adopted and using this for verification in the first place is a bit crazy due to the order it does things.

6:05 PM · Jul 29, 2019Twitter Web App