One of the best things of PHP today is the ecosystem. The PSR [0] interfaces let you build your own framework using libraries from the major frameworks or independent libraries seamlessly.
What bothers me most about it is the lack of a checksum, which is something Go modules support. I think that’s a mandatory feature to prevent certain attack vectors. Other than that, I have no problem with this approach.
I'm not an "expert" but that feels just as insane as the npm argument people make. I'd love to hear from someone more in the know as to why they aren't the same.
They really aren't if you think about it. Going straight to a URL for a version of a dependency is the same as pulling it from a registry, except it's decentralized from a single source (NPM) and removes the extra hops in between the package vendor and the package consumer.
On the flip side, that extra hop adds a ton of convenience in the form of name-resolution, security and governance. It's the age old double-edged sword of centralization.
Maybe if you turn that url into a hash, than just use the hash to check if the package has a local copy already, it wont be so bad. But you will need to add the package version in the URL so that you know you will always have the package you really want in your local cache.
because npm's is implicitly in the build pipeline. You won't run 'npm install' on production! you run that on development/certification and then push the validated image to production.
With deno, there is no distinction anymore, kinda of. You still can send to production images that have the deno cache. Only thing that changes is the default. Previously you would have to explicitly run 'npm install' on the production host, failing that the code fails. With deno you still can choose to push to production an image without the caches (same as 'npm install' in prod), but now the default is that untested code in QA will auto install without hash check!
in summary: absolutely no practical change (i.e. no new feature impossible before) other than production defaulting to installing remote dependencies of proven-not-tested functions.
Maybe if your experience using a shell is only Window's CMD. I live in the shell. My Linux machines are configured to automatically open a terminal upon login and the first thing I do when I get a new Windows installation is getting bash working on it even if it's not for development.
What's the pricing structure going to be, ie. how much should I expect to pay for hosting a dozen of small git repos? I can't access the billing page without an account.
Thanks for your work for the FLOSS community, btw. I've got one machine running Sway and I might start using sr.ht.
You can choose any of $2/mo, $5/mo, or $10/mo, depending on your financial situation and investment in sr.ht. All plans have access to all features. Here's a screenshot of the billing page:
Thanks for providing this and thanks for allowing us to pay for an account. I hope that sr.ht becomes sustainable, it's great to have an alternative that is focused on open source developers.
No we already have enough of those. But one could implement a way of annotating that some code/package (in ordinary programming language) implements a certain specification. This metadata should be searchable through the package manager.
[0] https://www.php-fig.org/psr/