Re: NPM and trusted binaries

[Ludovic Courtès]

Hi Mike,

Mike Gerwitz <address@hidden> skribis:

> Now how the hell is this enforced with thousands of dependencies that
> have not undergone any review, within a community that really couldn't
> care less?  Even something as simple as the license: package.json has no
> legal force; it's _metadata_.
>
> I feel like this will have to be manually checked no matter how it is
> done; any automated process would just be a tool to aid in a
> transition and keeping a package up-to-date.  I don't really see any
> other way.
>
> So I think that I share in your concern with how such a thing would
> possible be done.  My point is that if it can't, it shouldn't be at all
> (where is where we differ).

Yes, that’s a serious concern.  Maybe all we can reasonably hope to
achieve is to provide a core subset of the free NPM packages in Guix
proper, built from source.

People may still end up using automatically-generated, unchecked
packages for the rest.  Nevertheless, that would be an improvement over
the status quo.

(PyPI, Hackage, CPAN, and CRAN seem to be less problematic in this
regard, maybe because they are “culturally closer” to the free software
movement.)

Ludo’.