entropic-dev / entropic

🦝 :package: a package registry for anything, but mostly javascript 🦝 🦝 🦝
https://discourse.entropic.dev/
Apache License 2.0
5.29k stars 152 forks source link

Revisit the design of legacy packages #338

Open zkat opened 4 years ago

chrisdickinson commented 4 years ago

From ITA conversation: legacy namespace is too restrictive: there are many registries that speak the npm protocol, and we want to support those. @zkat recommended using an npm:registry.npmjs.org/lodash-style specifier (I'm probably getting the specifics wrong), this would allow for packages from arbitrary npm-style registries instead of the single "legacy" namespace.

Separate item from Rebecca: should legacy packages be synced between Entropics or pulled fresh each time? Right now the server can verify & advertise the fact that a particular package was signed, but clients must trust that server not to have done anything untowards when translating the package into Entropic format. Counterpoint: if the originating registry goes away, we must fall back on trusting the pre-translated package.

zkat commented 4 years ago

@zkat recommended using an npm:registry.npmjs.org/lodash-style specifier

This is exactly what I meant 👍