Libya

>All package managers have the insane security model of "arbitrary code execution with no constraints".

Not all of them, just the most popular ones for these highly sophisticated, well thought-out bunch of absolute languages.

I beg to differ and look forward to running my own fiefdom where interpreter/JIT languages are banned in all forms.

Clearly,

> which exists solely because operating systems don’t provide what it needs already

means Plan9 provided those needs already.

Which Plan9 features exactly give me a unified API layer to handle workload scheduling incl. fault tolerance, flat networking across a cluster or service discovery? Containers are an implementation detail and not what Kubernetes is fundamentally about.

With regards to Rust, crates are packages which may include opaque binaries, e.g. serde_derive, and the stdlib is weak, so imports of thousands of lines of code are basically necessary for otherwise fundamental features like async.

It's probably easier to add dependencies in Go, but in the end people/projects don't.

For the average user, both GitHub and default $GOPROXY would have to be down. For me, my CI runs where my (and code I've cloned) lives, self-hosted GitLab.

So "GitHub is every single programming language's centralized package repository, because lots of code is hosted there" ?

> Python supports installing from other non PyPI indexes > 95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

And yet there is a clear difference between source distributions and pip/npm/rubygem/cargo packages - and between tooling/ecosystems that ONLY support the former and those that MAY use either and unfortunately mostly use the latter.

> What is it that you imagine Python or NPM packages consist of?

Something like a script that runs as part of the package that downloads a tarball, modifies package.json, injects a local bundle.js and runs npm publish (see this post). Usually also hosted at the default, centralized, authoritative source run by the maintainers of the package management tool.

But I'm repeating myself.

> (or do they? do they just use https to check out?)

Maybe try it out or read the docs first.

I'm closing with this:

> NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

is either wrong or disingenuously misleading, requiring nothing to apply to every single thing, depending on how you slice your definitions. It does not hold any water, that is my entire argument.

That's why I'm putting emphasis on it, because to Go it is.

And to languages that actually have centralized package repositories it isn't. There is a difference between code and packages and Go simply does not have the latter (in the traditional sense - what Go calls a package is a collection of source files in the same directory that are compiled together within a module (a module is a collection of packages (again, code) that are released, versioned, and distributed together. Modules may be downloaded directly from version control repositories or via proxy servers)).

To the other languages mentioned above, packages may have binaries, metadata and special script hooks. There is a package manager like pip , cargo or npm and if you want to install one, you won't have to specify a URL because there is a canonical domain to go to.

Go just knows code and it'll use git, hg or even svn. And if you want to claim that lots of open-source code being on GitHub makes it special, then

> GitHub is every single programming language's centralized package repository

and

> Someone at Microsoft with root access could compromise every user of every single programming language

Then what's the difference between git and npm, cargo, pypi, mvn et al?