Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The correct approach would be to allow changes like this to be pushed to _new_ versions but to lock pre-existing versions in place. The alternative is this weird world where the platforms themselves have spooky editorial control over every package and could step in at any time and lock out the maintainers (sounds a lot like SourceForge).


The "alternative" is exactly what Linux distros like RHEL and Debian do. They have editorial control over every package and often make changes the original developers don't like. It seems to work fairly well as long as you don't insist on following the latest version.


One mental model is that Linux distros are really just curated package repositories, with all the upsides and drawbacks that come with that. Especially regarding their dogmatic insistence that across the entire repository there's only a single (or at most several) versions of any given library


Aren't developers always using the same version and blindly downloading and running malicious code doing the same thing, running a single version?

Only those were harmed. And by harmed it was just really a bunch of tests runs failing, I guess no production workload was impacted by that jerk move.


Right, but my point is this code, in and of itself, really isn't malicious. It's only malicious in the context of "version XYZ used to do X, now it does Y". If you make versions indelible, you eliminate the potential for this to blow up as an issue.


To be clear, you can't edit an existing published version of a package on NPM, nor can you delete packages (havent been able to for 5 years-ish).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: