[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libreplanet-discuss] The dangers of repository deletion

From: Mike Gerwitz
Subject: Re: [libreplanet-discuss] The dangers of repository deletion
Date: Sat, 02 Apr 2016 22:46:43 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

On Fri, Apr 01, 2016 at 20:42:57 +0200, Fabio Pesari wrote:
> The recent left-pad fiasco on NPM just showed that in order for free
> software to be reliable, it must be stored permanently (since the
> license allows it).
> Github, the most popular project hosting platform at the moment, allows
> users to delete their repositories.

The NPM issue is a little bit different.  NPM is a place where packages
are published for use by a package manager (npm); its sole purpose is
distribution.  That's similar to running `make dist` and uploading GNU
packages to  In this case, you wouldn't want those packages
to disappear---people rely on them.  Same case with packages on NPM.

Git repositories are source code repositories and are not necessarily
distributions---especially if a build process is needed.  Now, some
people do use sites like GitHub for distributing packages.  Whether or
not I agree with that practice is irrelevant for this conversation, I
suppose; but in the case there they use GitHub to distribute their
package for installation or compilation, then moving it isn't a great
idea.  But if it's just a source code repository to a project that
distributes its packages elsewhere, I don't see that as a problem.

For example, a project may move its development elsewhere (e.g. GitHub
to Gitlab), but keep its distribution files on the same server.

Granted, we do have other unfortunate practices.  For example, some
language-specific package managers support cloning directly from source
code repositories.  Git's submodule support takes a direct repository
URI.  Situations like that complicate things.

So I think it's more nuanced.  I think it's fair to say that if a
project explicitly states a distribution site, then it should be free to
move its source code repository as it pleases, and that
language-specific package managers have an obligation to use those
distribution files.  Otherwise, they should accept the risk of things
breaking.  Same case with submodules.

As an example for my project, users should get GNU ease.js distributions
from, as stated by the site and release announcements.  But
they can also clone the Git repository from Savannah, or a mirror on
Gitlab and GitHub.  I offer no guarantees that the GitHub repository
won't disappear some day---in fact, I can more confidently state that it
might disappear than not.  The description on the GitHub repository
states "Mirror".  I feel no obligation to keep that repository there,
even if it didn't say "Mirror".

Mike Gerwitz
Free Software Hacker | GNU Maintainer & Volunteer
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]