Hi Mike, Mike Gerwitz <m...@gnu.org> skribis:
> Now how the hell is this enforced with thousands of dependencies that > have not undergone any review, within a community that really couldn't > care less? Even something as simple as the license: package.json has no > legal force; it's _metadata_. > > I feel like this will have to be manually checked no matter how it is > done; any automated process would just be a tool to aid in a > transition and keeping a package up-to-date. I don't really see any > other way. > > So I think that I share in your concern with how such a thing would > possible be done. My point is that if it can't, it shouldn't be at all > (where is where we differ). Yes, that’s a serious concern. Maybe all we can reasonably hope to achieve is to provide a core subset of the free NPM packages in Guix proper, built from source. People may still end up using automatically-generated, unchecked packages for the rest. Nevertheless, that would be an improvement over the status quo. (PyPI, Hackage, CPAN, and CRAN seem to be less problematic in this regard, maybe because they are “culturally closer” to the free software movement.) Ludo’.
