Follow

@garbados Theoretically we could just use NPM solely with individually-hosted git repos and git versioning. Beyond linking to other people’s repos, encouraging a culture of forking and only using your own forks would make the system less fragile (this is what I try to do in my projects). The NPM tool supports decentralised use via git. The problem seems to be overcoming the convenience of centralised package hosting. Not sure how a p2p protocol like DAT would fix that particular issue.

@aral @garbados you would just refer to git+dat:// url the same way you refer to a github (which is, internally, a distributed DB/storage -- with CDNs, load-balancers, and such)

@dym @garbados Yep, I’m just not sure what problem git+dat solves over git if you’re already using git in a decentralised manner.

@aral @garbados I beliebe "trust" is the issue here. We somehow trust "lodash" more than "git.example.com/weirdName/loda

@aral @garbados There is an approach of a distributed npm registry using secure scuttlebutt, though it does not look very convenient to me yet:

github.com/noffle/ssb-npm-101

It is super inconvenient. I have been kicking the can down the road for over half a year on some automated procedure to make bootstrapping possible without reading a whole bunch of documents.

@aral that’s how Go does it: every dependency is a git repo. gx uses ipfs addresses the same way. the specific advantage of distributing packages over a peer mesh is bandwidth and redundancy: rather than downloading from one source, you torrent it from many. this relieves individuals of the investments NPM has to make in their infra to support all that traffic. in a p2p architecture, traffic just makes the network stronger.

@aral @garbados I think it would be great if the convenience of a centralized name space and service for discovery could be combined with a decentralized method for reference, storage and distribution in the lock files.

That way you would only run into any dead link issues as an author, but never (if everything is seeded) as a downstream consumer.
Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.