| From: Lennart Sorensen via talk <talk@gtalug.org> | On Thu, Jun 13, 2019 at 10:06:37PM -0700, Dhaval Giani via talk wrote: | > I agree with you on this, but also seeing how some libraries get | > developed/updated (I am looking you, npm), I can see why some | > programmers prefer static libraries. | | But npm is one of those modern eco systems that believes every project | should pick its own version of everything. It is effectively static | linking. | | So npm is the static linking problem. I'm thinking about npm (a JavaScript repository). Not that I know anything about it. The word "curation" has been used to excuse a bunch of things, good and bad. But it's not a bad description of the role I'm thinking of. I admit that I go on and on about these issues. See for example updates and shared libraries [was Re: A find alternative: fselect] from last week. Or my last lightning talk "What is a distro?". But I think that they are really important. There is too much software that we want and need for each of us to do quality control: - is well designed for the problem it addresses? - is it better than the alternatives? - does it fit into existing environments? - is it sufficiently stable? Bug free? - does it have a reasonable liklihood of not being a security risk? - is it stable? - does it have a liklihood of ongoing support and development? - is there a reasonable way of feeding back bug reports to the developers? I mostly depend on Fedora to do these things for me. Perhaps not perfectly, but a lot better than I can do on my own. I chose my distro partly based on how well I think that they do this curation. Non-Linux folks are often uncomfortable with the level of curation by Linux distros. They feel more comfortable with Microsoft or Apple. A bunch of systems that exist as part of Linux also bypass the distro: - Python Package Index (python) - PEAR (PHP) - CTAN (TeX) - CPAN (Perl) - npm (JavaScript) - crate.io (Rust) Who then does the curation? Are they any good at it? It's easy to say "the user", but for big things like these that is impractical. I'm not particularly comfortable with any of these repositories, possibly due to ignorance. If you need things from these repos, it is pretty easy to rationalize trusting them.