►
From YouTube: 📦Package Managers WG Weekly Sync April 23, 2019
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
So
it's
not
a
kind
of
complete
here's:
how
to
build
a
decentralized
package
manager
on
ipfs,
but
it's
more
how
to
augment
your
existing
package
manager
with
ipfs
whilst
learning
about
the
different
kind
of
pieces
of
technology,
they're
involved
like
IP,
n
s,
IP,
LD
and
similar
kind
of
steps,
especially
thinking
about
it
as
like?
Okay.
Well,
how
does
someone
go
about
publishing
their
first
package
and
then
how
do
you
index
the
number
of
different
versions
for
a
package?
A
Then
how
do
you
kind
of
keep
track
of
a
number
of
different
packages
and
how
that
maps
with
the
existing
ways
that
package
managers
work?
So
that's
the
link
is
in
that
the
notes.
It's
an
ongoing
Google
Doc
that
I
had
to
kind
of
start
to
get
some
feedback
on
soon
also
had
a
informal
package
manager
to
meet
up
in
London
with
Eric,
Holly
and
Alex,
and
we
talked
about
a
number
of
performance
problems
and
potential
ways
of
negating
some
of
that,
as
well
as
an
interesting
discussion
around
MPM.
A
It
has
the
ability
now
in
the
client
to
specify
package
releases
before
a
given
date
as
a
way
of
kind
of
avoiding
like
almost
not
requiring
a
lock
file
by
saying
I
only
want
package
releases
before
a
given
date,
but
it
actually
happens
on
the
client
not
on
the
server.
So
if
the
data
and
the
server
changes
say
a
package
gets
yanked,
then
that
will-
or
it
still
asks
a
server
for
everything
and
the
client
just
decides.
A
I
also
started
looking
into
how
we
could
add
ipfs
support
to
the
Athens
project,
which
is
a
proxy
service
for
go
package
management
as
in
Rev.
You
would
point
your
your
go
modules
configuration
at
an
Athens
server
which
would
cash
or
serve
straight
from
cache.
The
modules
revenue
going
out
to
many
different
git
repositories
across
github,
mostly
works
for
both
private
and
public
things,
and
has
a
really
nice
interface
for
building
storage
adapters,
which
we
could
potentially
build
an
IP,
FS
storage,
adapter,
it's
written
and
go
so
there's.
A
Quite
a
lot
of
crossover
with
go
ipfs
there
and
could
be
another
way
of
reintroducing
storing
package
content
on
ipfs
for
the
for
the
go
projects
in
ipfs
and
other
in
protocol
labs.
Now
that
GX
has
kind
of
been
abandoned.
So
it
looks
to
me
like
there's
a
quite
a
happy
path
to
get
there
fairly
quickly
and
to
actually
kind
of
propose
that
I
was
part
of
one
of
the.
A
They
have
a
weekly
call,
so
I
might
dive
in
there
and
see
how
a
mean
will
they
be
to
adding
that
as
support
not
blocked
anything
and
next
I'll
be
carrying
on
with
the
documenting
that
I've
been
doing
so
far
just
kidding
again.
B
So
I
was
away
for
much
last
week
at
DPLA,
fest
held
a
workshop
there,
not
specifically
package
manager
related,
but
was
really
useful
for
onboarding
black
done
nothing.
So
next
steps
I
just
really
sort
of
need
to
formalize
my
actual
work
plan
or
have
some
chats
about
that
this
week
and
just
get
some
stuff
set
up.
B
I
know
that
pour
should
put
together
our
best
practices
for
that
elsewhere.
So
we
can
definitely
borrow
from
that,
but
just
want
to
make
sure
that
that
doesn't
fall
off
for
now,
if,
if
anything
feels
amiss
or
feels
like
I'm
going
in
the
wrong
direction,
please,
like
you
know,
because
I'm
still
sort
of
you
know
finding
my
way.
D
C
C
C
So
I
was
initially
unsure
if
yeah
I
was
initially
unsure,
if
this
would
be
worth
sharing
publicly
or
not
because
it
gets
to
that
uncharted
territory
at
the
end,
but
I
guess
the
feedback
I'm
getting
from
folks
so
far
as
like.
Yes,
if
we
should
super
share
that
so
I
guess
that'll
be
showing
up
in
an
issue
later
today
or
something
other
no.
Where
else
to
put
it,
that's
that's
my
item.
E
E
I'll,
try
to
make
sure
that
you
get
looped
into
the
meeting
to
chat
more
about
exactly
how
they
foresee
themselves
using
IP
FS,
which
of
your
logistic
tree
leaves
that
they
are
interested
in
pursuing
so
far,
I
also
had
a
super
long
chat
with
Steven
last
night
out
different,
potentially
valuable
tools
built
on
top
of
IP
FS
for
different
types
of
package.
Managers
that
are
like
seem
to
be
feasible
and
invaluable
in
the
near
term,
and
this
is
kind
of
what
the
goal
of
how.
E
How
do
we
work
with
other
partners
in
the
ecosystem,
who
are
already
trying
to
you
know,
demonstrate
value
where
we
could
add
additional
value
or
meet
an
unserved
need
that
some
group
of
users
is
having
with
package
managers
which
eventually,
hopefully,
will
have
things
like
reliable
default
adoption.
That
can
really
be
stress,
testing
idea
best
every
single
time
they
use
it,
and
we
had
kind
of
like
three
top-level
ideas.
E
A
Cool
yeah,
so
I
also
would
stumbled
across
another
Windows
chocolaty,
like
package
manager
today
called
scoop.
It
looks
a
lot
like
homebrew,
whereas
chocolaty
looks
a
lot
like
nougat
the
windows.net
package
manager,
both
of
them
work
in
a
kind
of
a
bit
of
a
meta
way
in
that
they're.
They
really
provide
the
package
manager
itself
and
it's
registry
is
really
a
set
of
install
scripts,
which
include
a
URL
to
go
fetch
the
actual
binary
from
somewhere
else,
which
may
or
may
not
continue
to
be
present.
A
So
in
the
same
way,
that
homebrew
does,
although
homebrew
now
is,
is
moving
towards
more
caching
or
like
publishing
the
resulting
binary
of
building
a
source
code
into
their
own
infrastructure,
which
is
bin
tray
right
now,
and
these,
like
chocolaty,
actually
sells
the
like
slightly
more
reliable
version
as
their
pro
version,
so
they're
unlikely
to
want
to
kind
of
undermine
their
own
business
model
by
having
everything
automatically
go
out
to
ipfs.
But
there's
also
like
questions
around
that.
A
Storing
the
the
binaries
for
private
or
like
non
open
source
applications
on
ipfs
may
rattle
some
cages,
but
those
binaries
are
free
to
download
from
those
websites.
It's
just
that
you
may
have
to
go
through
like
a
privacy
policy
or
similar
before
you've
actually
like
agreed
to
download
it.
So
a
gray
area,
I
guess-
and
maybe
it
would
be
more
of
an
opt-in
individual
packages
further
like
to
enable
that
ipfs
cash
rather
then,
rather
than
just
try
and
like
wholesale
archive
the
whole
of
every
Windows
binary
for
random
proprietary
packages
or
applications.
A
Is
there
any
other
points
that
people
want
to
bring
up,
maybe
Chris
as
you're
new
here
sure.
D
Yeah
I
mean
I,
guess
I
should
let
you
all
know
I'm
applying
for
the
Jas
core
technical
manager
position
right
now
super
excited
about
what
protocol
Labs
is
doing.
I'm
joining
this
meeting,
mostly
because
I
have
a
little
bit
of
an
itch
to
scratch
about
identity
and
I'm
curious
how
it
fits
in
the
package
manager
world.
So
in
a
nutshell,
what
I'm
thinking
about
with
identity
is
really,
if
you
think
about
the
design
space,
there's
kind
of
like
three
kinds
of
identity.
There's
personal
identity,
which
is
what
you
know,
is
actually
the
real
thing.
D
D
What's
enough
and
that's
derived
identity,
which
is
like
what
your
ISP
knows
about
you,
whether
or
not
you
want
them
to,
and
so
I
kind
of,
think
that
if
we
build
tools,
for
instance,
if
we
built
a
tool
that
made
the
history
of
the
Debian
package,
repo
transparent,
as
far
as
like-
oh,
like
that's
weird,
there's
a
that
one
signature
didn't
validate
like
we're,
taking
a
closer
look
at
that
one
or
oh,
the
change.
My
trainers
on
that
package
there
so
I
kind
of
red,
yellow,
green
for
different
states
in
the
graph.
E
A
This
release
was
published
and
then
there's
like
a
jump.
This
happened.
It's
usually
happened
on
someone's
laptop
arbitrarily
and
then
there's
a
package
on
NPM
or
Ruby
gems
and
there's
no
guarantee
of
anything
between
those
two
places
other
than
like
can
if
I
can
run
the
same
script
and
end
up
with
the
same
package
that
people
will
often-
and
even
this
applications
dependable
and
greenkeeper
will
often
reference.
A
So
they
just
hope
and
dream
that
the
there
was
no
one
made
any
changes
along
the
way
and
it
becomes
very
difficult
to
kind
of
to
be
sure
of
what
happened
there
or
if
the
same
person
did
the
same
thing.
Because
most
registries
don't
really
give
you
that
kind
of
log
of
what
happened
on
behind
the
scenes.
They
really
only
give
you
the
the
end
result
and
then
there's
like
the
actual
work
the
reproducible
builds
project
is
putting
in
that.
Eric
can
definitely
talk
more
about.
D
D
It's
kind
of
like
similar
to
that
derived
identity
approach
is
to
look
at
what's
actually
there
and
then
give
people
Road
feel
for
like
again
I
kind
of
red,
yellow
green
for
the
different
parts
of
my
graph,
so
that,
as
a
developer,
you
can
know
whether
you're
getting
into
a
tangled
mess
or
if
some
part
of
your
dependency
chain
is
relatively
clean.
I,
don't.
C
Another
keyword
that
might
be
a
good
search
term
in
case
you
haven't
stumbled
upon
it
by
luck-
is
binary
transparency,
sort
of
like
certificate,
transparency,
I,
don't
know
if
that
terms
being
used
super
actively
anymore,
but
there's
a
couple
like
mailing
lists
and
archives
that
have
discussed
that
topic
a
little
bit.
It
sounds
like
you've
thought
about
this
similarity
that
maybe
everything
in
there
will
be
old
hat
to
you.
But
oh.
D
I've
thought
about
you
know
the
breadth
of
it.
I
think
I,
remember
going
to
one
conference
talk
from
somebody
who
was
trying
to
build
a
new
package
manager
that
was
all
signed.
You
know
Turtles
all
the
way
down,
but
you
know
that's
the
idea,
but
you
can't
validate
everything
and
you
can't
can't
clean
up
history.
Just
get
a
note
note.
What's
going
on
there,
some.
C
Of
the
interesting
things
that
I
think
we've
can
say,
we've
discovered
in
this
group
is
also
that
putting
putting
like
naming
stuff
on
too
early
in
the
design
or
to
to
centrally
can
get
really
weird,
because,
like
we're
all
here,
because
we
have
content,
addressable
content
and
then
like.
Ideally,
we
would
love
to
have
like
content,
addressable
indices
and
immutable
metadata
for
stuff,
like
that,
which
is
a
little
bit
more
of
an
exercise,
because
it's
just
more
into
like
Canyonlands
for
the
people,
Ethiopia's
systems
historically,.
A
The
package
managers
repository
is
a
great
place
to
just
to
open
up
issues
and
with
like
discussion
areas
or
like
pointers
to
like
here's
something
interesting,
hopefully
to
get
a
kind
of
a
collection
of
everything
that
might
be
related
to
ipfs
and
package
managers,
whether
it's
short-term
or
whether
it's
really
long-term.
It's
all
like
a
good
kind
of
mixing
pot
tip
to
throw
stuff
in.
We
haven't
really
started
talking
about
different
forms
of
identity.
A
The
other
thing
that
springs
to
mind
there
and
it's
something
that
technically
I
can't
do
any
work
on
until
July
because
of
a
non-compete
is
in
solving
some
of
the
chain
of
or
like
the
kind
of
the
ability
to
to
kind
of
archive.
Your
way
back
and
work
out.
A
What's
going
on
and
highlight
points
that
are
like
and
not
so
trustworthy,
or
this
is
weird-
is
the
kind
of
due
diligence
and
security
and
licensing
around
open
source
that
companies
open
themselves
up
to
all
kinds
of
risk
and
actually
being
able
to
kind
of
to
raise
red
flags
for
companies
and
go
hey.
Did
you
realize,
like
the
somewhere
along
the
chain
of
this?
E
A
Sorry
zooms,
just
telling
me
I've,
got
three
minutes
for
some
reason.
Companies
are
quite
like
that
they
value
the
risk
assessment
enough
to
actually
pay
for
tooling
to
be
able
to
to
do
that.
It's
just
that
the
data
going
into
it
is
really
crappy
and
companies
tend
to
hold
whatever
quality
data
they
can
get,
rather
than
sharing
that
back
out
and
really
that
data
should
be
like
part
of
the
open-source
project.
A
If
it's
been
collected
around
that
it
should
be
like
it
was
based
off
the
Commons,
it
should
be
available
in
the
in
the
Commons
of
that
project
in
a
of
a
continual
way,
but
I
think
we
have
run
out
of
time.
That's
the
end
of
the
slot.
So
thanks
everyone
for
coming
and
we'll
see
you
again
next
week.
Thank
you.
Stop
recording
now.