Hi
I looked closer at the json output from npmregistry and found that they
host tarballs and give the url for every version in the json response.
("tarball" . "url").
All the npm packages I ever looked at (100 or so of the biggest and
dependencies of those) was hosted on Github.
I have a few questions regarding the wealth of information available
from this registry
1) Does anyone know if these tarballs are reproducible? ie do they
change over time?
2) Can we use the gpg signature for something?
3) SWH gives us tarballs according to commit ids. If we use npm-tarballs
we can store the commit in the json response (or look it up with the
github api) as a property:
(properties
`((commit . hash)))
Any thoughts?
--
Cheers Swedebugia
