Hare does not have a package manager, by design. We feel that package management is best left in the hands of distributions. We don't want the npm/pypi/crates/etc disease to infect Hare - your dependencies should be chosen carefully and conservatively.
I'm not sure how it's ignorant. I sort of prefer the C/C++ way of using/packaging libs. I wouldn't want it with higher level languages like C# or python, but a central repository isn't great in my opinion. Rust has people squatting on package names for no reason. Python packaging is so miserable there are a few different competing 3rd party package managers. NPM has had numerous security issues that have caused way more of a mess than anything C++ related. The C# package manager seems okay, but as far as I know will not package libraries as source code (I'm not sure about that one).
All the package managers I've used have pros and cons, including using none at all.
Why tie your application to a distribution? You're at the mercy of package maintainers, or you'll end up using docker to do package management in a safe way. There's 0 ways to ensure that installing your required dependencies yesterday and tomorrow on a fresh install of Debian won't differ in a critical way? You could do that with NixOS, but I doubt that's the OS/package manager of choice for the target audience of Hare. Relying on OS package managers is partly why docker became popular, far more than most of the designed features of docker and the respective kernel features.
The fundamental issue with security of NPM is the same issue you encounter in any package manager, you have to trust the maintainers. It's harder to trust a larger group of people than a smaller group of people. I'd argue the better solution with NPM is to choose libraries more deliberately and monitor your dependency graph instead of stopping to use NPM altogether.
Shitty package managers are shitty, yet Maven just works. It seems Golang has figured out a workable approach after 10 years as well. Its a solved problem. If other package managers refuse to learn, thats on them.
It is an ignorant one because without those, the industry would be far from where we are now, the cost of project development would be higher, security fixes would have a very hard time to propagate, leaving holes pretty much everywhere.
> borne of years of experience with these systems.
Which does not dismiss everybody else's experience.
And neither does your experience dismiss mine. I have also seen years of vulnerabilities going unnoticed in pinned dependencies four orders transitively removed from anything the developer has ever heard of, of malware being published without review in PyPI and npm, of bitcoin miners and private key sniffers, of bloated and unreliable code from reckless companies who would prefer to save on FTE salaries by leveraging any code they find lying on the street, all while I've seen the package management system I prefer - the one used by Hare - suffer none of these issues.
I assure you, as a Python developer, that it is not an ignorant statement.
Pypi is a mess. Python packaging is a mess. I would rather download and include Python source code by hand than learn all of those 3rd-party packaging "solutions".
The only saving grace Python has is it's vast standard library. So you don't have to reinvent wheels all the time.
The Maven model works pretty well. Namespaces avoid the squatting issues seen in Cargo, and some ground rules avoid NPM disasters like packages disappearing.
I understand not wanting to deal with the hassle of running a repo, but what about tooling around decentralized git repos? I can’t imagine distributions picking up Hare packages in larger numbers.
No, you don't do anything. Each distro packages it for you. It's not the vendor's responsibility to package their software themselves. I wrote about this in detail here: