The intention is to enable multiple git servers which all act as mirrors behind an authorative state issued through nostr events. IPFS could act as a got server in this scenario if the git-remote-helper works. That project looks a little stale.

as it is , but we discuss concepts here, right ?

Fixing that git helper should be easy, however before you invest too much in IPFS, beware its DHT is poorly designed and IPFS as whole scale well.

*doesn't scale well

:)

for now

isn't it appropriate for a project to use a lock file to specify a specific state of a dependnancy so errors due to a dependency update can be diagnosed?

Yes uh I'm confused didn't we discuss this in the quoted thread? What's your question? The problem is how to find git or package repos of dependencies. You can't just have a radicle ID (rid), you also need to know a bootstrap node of the respective swarm the repo is in. The bootstrap node then becomes a single point of failure the way GitHub is a single point of failure now. cc @Josua Schmid

There are (at least) two quite different problems here: 1) how do I decide which version of a dependency version I should use? Many projects trust package management tools (yarn, cargo, etc) and centralised repositories (crates.io, etc) to serve them the most suitable hashed state via commands like `yarn update` and `cargo update`. To what extent are these states signed by the dependency's maintainers and to what extent are these signatures validated on the developers machine across language and package management ecosystems? I'd be interested to see some analysis of this. 2) how can I download a specific version of a dependencies without relying on a centralised entity (github)

(1) is a good question. Form the time being I'm assuming we have already determined a hash. So I'm trying to solve (2). Mind you (2) happens much more often and in an automated fashion, (1) can be manual for the time being.

Bittorrent and Magnet Links? Dreamt-up end state: All deps are seeded right from build servers where the code is still pristine (or even from production servers, e.g. for Ruby gems if maintainers started including the tests and docs again, which they don‘t seem to be willing to do, see https://github.com/orgs/rubygems/discussions/7551#discussioncomment-8981632 )