There are (at least) two quite different problems here:
1) how do I decide which version of a dependency version I should use? Many projects trust package management tools (yarn, cargo, etc) and centralised repositories (crates.io, etc) to serve them the most suitable hashed state via commands like `yarn update` and `cargo update`. To what extent are these states signed by the dependency's maintainers and to what extent are these signatures validated on the developers machine across language and package management ecosystems? I'd be interested to see some analysis of this.
2) how can I download a specific version of a dependencies without relying on a centralised entity (github)
DanConwayDev
npub15qy…yejr
2024-04-17 08:58:07
in reply to nevent1q…9390
Author Public Key
npub15qydau2hjma6ngxkl2cyar74wzyjshvl65za5k5rl69264ar2exs5cyejrPublished at
2024-04-17 08:58:07Event JSON
{
"id": "c038540e26e6894bea30f8525017bfde3070d77a6c18ace09a1bde644f3ce09c",
"pubkey": "a008def15796fba9a0d6fab04e8fd57089285d9fd505da5a83fe8aad57a3564d",
"created_at": 1713337087,
"kind": 1,
"tags": [
[
"p",
"397417f84734d01c2e9bebdfb68fadaa0099b92e6831ff3f4e1ed54ec893edef",
"wss://nos.lol/",
"purple.co"
],
[
"p",
"47be0b2a89faaa66bc57f5c679203486da45660295cb3db3c2f38f4be8d8816e",
"wss://relay.damus.io/",
"frphank"
],
[
"p",
"e989aa6e0137d52a410ecd89ae59f7adbfb0bdec9786b9181c3707954b4cfa69",
"wss://relay.damus.io/",
"schmijos"
],
[
"e",
"49e3d8a72aa5cdda6d0a658daa0d31df2fad650a56c1aafdb7810a53ab954740",
"wss://nos.lol/",
"root"
],
[
"e",
"7c93eafd9b9b7827117aefa1f83ff9e211f61312074f8085789059dac5bf71a6",
"mention"
],
[
"e",
"fd6407411bc1492f07925c4f554555132917811c6572fc1b394dedae7e0c653a",
"",
"mention"
],
[
"e",
"ed2f661d9887f4d153841d4d8b655baafa4658c8d92319da1ebaa0cebd492f44",
"wss://nos.lol/",
"reply"
]
],
"content": "There are (at least) two quite different problems here:\n1) how do I decide which version of a dependency version I should use? Many projects trust package management tools (yarn, cargo, etc) and centralised repositories (crates.io, etc) to serve them the most suitable hashed state via commands like `yarn update` and `cargo update`. To what extent are these states signed by the dependency's maintainers and to what extent are these signatures validated on the developers machine across language and package management ecosystems? I'd be interested to see some analysis of this.\n2) how can I download a specific version of a dependencies without relying on a centralised entity (github)",
"sig": "42740160f0bef7746aa9c01d14a9bf8b9de831d47f316109d4495cf059cefce0ad07071feb4d6829539cf480924738143933473027d47c92a926ed91c82446ec"
}