Comment by giancarlostoro
7 days ago
I'm a little annoyed that for a Rust based tool the recommended installation command is to use npm. Why? Is Cargo not good enough? Cargo seems exceptionally well to me.
7 days ago
I'm a little annoyed that for a Rust based tool the recommended installation command is to use npm. Why? Is Cargo not good enough? Cargo seems exceptionally well to me.
I get the frustration, but I think the npm option actually makes sense here. A lot of users who’d benefit from a fast Rust tool aren’t Rust developers and won’t have Cargo installed. Shipping it through npm lowers the barrier while still giving everyone the performance benefits. It’s not a knock on Cargo, just a way to make the tool more accessible.
Given the fairly shoddy security story with NPM, I genuinely don't understand the hesitation to publish a binary and have a README instruction to curl/wget it into `/usr/local/bin` or `~/.local/bin`. If it's going through NPM that publishing step has to be done already, unless the NPM build is pulling down rust to compile it all as a native extension.
Eventually it'd wangle it's way into homebrew or the unstable branch of another package registry.
But that's me, because I really dislike installing binaries via a language's package manager, because they don't get updated unless I frequently run the upgrade commands for each package manager.
That (security ) is something I also worry about. I'd like to get off npm if only for this reason. It's a hack to get started.
The other thing it gives you is the ability to easily upgrade and uninstall so just a script to copy stuff is not on par.
5 replies →
Take a look at [topgrade](https://github.com/topgrade-rs/topgrade) which can run all of the package managers for you in one go.
Does it matter? You are apparently contemplating running a third-party binary on your machine anyway. It seems a bit weird to Worry about npm’s security story, which is all about executing arbitrary code.
Anything that uses npm is fundamentally untrustworthy. I would argue that if you make an editor you should write software for people that want to use and write good software, which isn't anyone that unironically uses npm with anything other than distaste.
Many of them may not be Node developers either, and might not have npm installed. Using a dependency management tool for one language to distribute a packaged application written in an entirely different language seems like a very strange choice.
Why not use the various standard and commonplace packaging and distribution methods for application software? Distro repos, tarballs, Homebrew, AppImage, Flatpak, etc.
but you could also say a lot of users are web developers and won't have npm installed
npm is certainly not something everyone has.
Not everyone it's a web developer. Sysadmin and system programmers (and older millenials) don't care and don't want to install anything related to NPM.
2 replies →
It is something some of us avoid.
I took the feedback and now you can install binaries in any of these methods:
- Homebrew (MacOS)
- Arch Linux AUR
- Debian/Ubuntu .deb
- Fedora/RHEL .rpm
as well as cargo install (which builds from source), npm, npx or building from source by cloning
Can you add to cargo binstall to install directly binary?
Can't it be packaged as a binary/whatever that would install without either cargo or npm?
You can use: cargo install fresh-editor
Or you can use npm
Or you can download release binary packages from Github releases.
The problem is which option to make more prominent / first
Okay, in my case I like the binary from GitHub, and it's also more likely to end up in Homebrew.
I did it because not everybody has cargo installed. I'm using cargo-dist to create this npm package.
Is there a way to install it with cargo instead? I won't install npm on my machine just to install a Rust package
Sure, cargo install fresh-editor
i don’t (and won’t) have npm installed. i do have cargo.
strange thinking!
I would bet 100 Euro there is at least an order of magnitude, if not two or three, more installs of NPM clients than Cargo right now.
Then use: cargo install fresh-editor
I've documented that as well it just isn't the first option listed
I've been wanting a generic package manager for a while that is cross-platform. I wonder how one could find funding for such a project. Thinking about users from various OS' installing tools and software from your niche package manager, yeah that bad boy is going to grind to a halt if you have no key funding.
Same. I started writing one as a weekend project and got as far as having a GH repo with releases that mirror the binaries of the tools that I use, normalizing the archives so they can be installed in the same way. It auto-generates a release whenever the project authors update their projects.
https://github.com/alshdavid/install-scripts/releases?q=node...
https://github.com/alshdavid/install-scripts/releases
All of the binaries here are expected to be standalone/portable installations, so you can download/extract the archive and just run the binary.
I haven't yet written a package manager yet, but I was planning for it to just do the same thing as above but figure out your OS/ARCH, handle extraction and also offer a PATH update system so you can run `eval $(xpkg env)` and PATH is updated automatically.
> generic package manager for a while that is cross-platform
That would be Nix. Runs on any Linux distro and OSX. Also particularly useful for NixOS and NixBSD.
https://nixos.org/download/
By cross-platform, do you really mean Linux/BSD/Mac/Win/ChromeOS/Android?
Or do you just mean something like Guix?
Artifactory exists. It's not hard to store packages and metadata somewhere.
consider wget or curl if possible (why not if npm was...)
i just used npx to try on my working machine where i do not have cargo