DanConwayDev's avatar
DanConwayDev _@danconwaydev.com 1 year ago
This is a good point. There is often a lock file referring to a particular state of each dependancy. However centralised package managers are almost always trusted by project maintainers to provide the authoritative latest state. There are usually only a small number of authoratitive package providers for each tech stack with have strategic lock due to network effect and language specific features. Is this what you mean?
↑ Parent

Replies (1)

frphank's avatar
frphank 1 year ago
Relying on the centralized package manager's idea of what the authoritative state is is a serious bottleneck. This is why lock files are being used for each project to define its own state. This is @simplex lock file:
GitHub
simplex-chat/flake.lock at stable · simplex-chat/simplex-chat
SimpleX - the first messaging network operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps 📱! ...
 Each time it says "github" that's a centralized bottleneck that must go away.
1 replies ↓