← Back to context

Comment by ForHackernews

2 months ago

I think you're being silly to be so insistent about this. 95% of Go packages are hosted on Github, a centralized hosting platform. The fact that they install via the git protocol (or do they? do they just use https to check out?) is immaterial.

95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

> what Go calls a package is a collection of source files in the same directory

What is it that you imagine Python or NPM packages consist of? Hint: A Python .whl file is just a folder in a zip archive (Python also supports source distributions directly analogous to Go)

[0] https://docs.astral.sh/uv/concepts/indexes/

[1] https://thelinuxcode.com/install-git-repository-branch-using...

7 comments

ForHackernews

Reply
Yasuraka  2 months ago

> 95% of Go packages[=code, the author] are hosted on Github

So "GitHub is every single programming language's centralized package repository, because lots of code is hosted there" ?

> Python supports installing from other non PyPI indexes > 95% of Python packages are installed from PyPI, but just like Go can also install from non-Github sources, Python supports installing from other non PyPI indexes[0] or even from a Git repository directly[1] like Go.

And yet there is a clear difference between source distributions and pip/npm/rubygem/cargo packages - and between tooling/ecosystems that ONLY support the former and those that MAY use either and unfortunately mostly use the latter.

> What is it that you imagine Python or NPM packages consist of?

Something like a script that runs as part of the package that downloads a tarball, modifies package.json, injects a local bundle.js and runs npm publish (see this post). Usually also hosted at the default, centralized, authoritative source run by the maintainers of the package management tool.

But I'm repeating myself.

> (or do they? do they just use https to check out?)

Maybe try it out or read the docs first.

I'm closing with this:

> NPM, Python, Rust, Go, Ruby all suffer from this problem, because they have centralized and open package repositories.

is either wrong or disingenuously misleading, requiring nothing to apply to every single thing, depending on how you slice your definitions. It does not hold any water, that is my entire argument.

  • ForHackernews  2 months ago

    k, let me know how your CI pipeline fares the next time there's a Github outage and we can revisit this discussion of Go's fantastic uniquely decentralized dependency management.

    • Yasuraka  2 months ago

      You really ought to research a topic before arguing.

      For the average user, both GitHub and default $GOPROXY would have to be down. For me, my CI runs where my (and code I've cloned) lives, self-hosted GitLab.

      4 replies →