From ITA conversation: legacy namespace is too restrictive: there are many registries that speak the npm protocol, and we want to support those. @zkat recommended using an npm:registry.npmjs.org/lodash-style specifier (I'm probably getting the specifics wrong), this would allow for packages from arbitrary npm-style registries instead of the single "legacy" namespace.
Separate item from Rebecca: should legacy packages be synced between Entropics or pulled fresh each time? Right now the server can verify & advertise the fact that a particular package was signed, but clients must trust that server not to have done anything untowards when translating the package into Entropic format. Counterpoint: if the originating registry goes away, we must fall back on trusting the pre-translated package.
From ITA conversation:
legacy
namespace is too restrictive: there are many registries that speak the npm protocol, and we want to support those. @zkat recommended using annpm:registry.npmjs.org/lodash
-style specifier (I'm probably getting the specifics wrong), this would allow for packages from arbitrary npm-style registries instead of the single "legacy" namespace.Separate item from Rebecca: should legacy packages be synced between Entropics or pulled fresh each time? Right now the server can verify & advertise the fact that a particular package was signed, but clients must trust that server not to have done anything untowards when translating the package into Entropic format. Counterpoint: if the originating registry goes away, we must fall back on trusting the pre-translated package.