►
From YouTube: Package Maintenance Team meeting - Sep 24 1029
Description
A
A
B
A
A
There
is
the
well.
We
need
to
have
updated
information,
so
it
would
have
to
be
something
like
well
you
you
consider
the
latest
published
version
of
the
package,
the
version
you
would
need,
which
means,
if
you've
got
tools
that
want
to
look
at
that
data,
they
need
to
be
able
to
efficiently
get
the
latest
version.
If
it's
published
in
the
package,
the
alternate
would
be
viewpoint
or
discussion.
Point
would
be
well
that
data
can
change
at
any
time,
so
it
doesn't
really
make
sense
to
be
part
of
the
package.
A
A
We
had
landed
in
what
we'd
written
before
that
it
would
be
inline
in
the
package.
Jason
with
you
know,
potential
I
think
the
way
it's
it's
done
is
it
could
be
externalized
into
a
link
later
on
and
that
that
field
could
be
extended
to
be
what
it
is
today
or
link
that
would
to
point
to
that
information.
A
But
the
discussions
initially
were
that
we
wouldn't
do
that
until
there
was
a
way
there
like
through
NPM,
more
easily
get
just
that
one
file
versus
having
to
you
know
external
files
was
part
of
the
package
or
come
to.
You
know.
I
think
that
was
that
was
the
main
thing
is
like
okay.
If
we,
if
we
do
make
it
a
link,
then
it
should
at
least
be
possible
to
make
it
a
link
within
the
package,
but
we'd
want
away
an
NPM
to
get
that
other
file
efficiently.
A
Right:
okay,
there,
it
is
so
open
this
one,
so
it's
246
where
I
think
you
know
there
were
some
comments
that
it's
you
know
it's
it's
data
that
could
change
so
we're
hoping
that
then
that
would
sort
of
move
back
into
the
discussion
in
this
issue.
Why,
though,
I
haven't
seen
that
happen
since
the
last
comments
about
two
weeks
ago
in
the
the
NPM
issue.
C
To
kind
of
make
it
optional,
where
we
can
go
out
with
the
direction
that
it
should
be
either-or
and
then
just
wait
for
tools
to
catch
up.
For
example,
if
it's
part
of
package
JSON,
then,
when
you
NPM
in
it,
maybe
today
we
don't
have
an
option
to
fill
in
the
blank
and
later
on,
we
put
in
a
poor
request
to
fill
in
the
blank
as
part
of
that
question-answer,
where
you
go
through
when
you
in
am
in
it,
but
in
the
meantime
not
to
go
out
with
a
starting
spec.
C
A
Think
we
need
input
from
the
people,
who've
had
fairly
strong
views,
one
way
or
the
other
I'm,
not
sure
that
we
have
them
at
today's
meeting.
So
maybe,
if
you
want
to
comment
in
that
issue
as
a
hey,
is
you
know,
since
we
seem
to
have
two
two
ways
we
can
go
and
and
there's
still
there's,
you
know
relatively
strong
arguments
either
way.
What
if
we
go
out
with
you
know
both
options
and
then
see
what
people
end
up
using
end
up
using.
D
A
A
D
D
A
D
B
A
Yeah,
yes
right,
like
I,
think
it
kind
of
hijacked
46
in
the
in
the
NPM
repo
and
that
I
think
is
like
the
original,
the
original
posters
trying
to
repurpose
it
back
to
what
they
were
trying
to
discuss,
yeah
so
I
think
it's
better.
So
if
yeah
I
mean
Isaac
seem
to
have
some
some
good
comments,
suggestions,
I,
don't
know
if
you
can
encourage
him
to
bring
that
over
to
241
sort
of
I
think
we
were
hoping
for
that
to
happen
and
we
can
sort
of
push
that
for
it
again.
A
D
A
D
A
As
that
I
mean
we're
a
huge
company,
obviously
production
systems
can't
go
anywhere,
but
I'm.
Imagining
this
tool
would
be
run
not
in
the
production
system,
but
in
your
development
and
or
you
know,
basically,
when
you're
saying
are
we
okay
with
these
packages,
not
when
I'm,
actually
using
them
in
production?
So
for
me
at
least
on
my
local
desktop
I
could
easily
run
them.
A
D
Yeah
yeah
so
I
think
that's
quite
common,
a
lot
of
companies.
We
would
like
to
be
more
involved
in
what
things
like
we
do.
Have
these
restrictions
and
maybe
what
reasons
that
they're
not
involved
and
as
we
bring
them
in
we'll
see
more
of
the
things
within
our
servants
or
FinTech
communities
de
restricts
us
and
we
are
trying
to
work
on,
but
no
reason
not
to
have
a
link.
D
A
Ok,
so
I
think
that's
really
the
next
step
like
I,
think
if
we
can
come
to
conclusion
on
that
last
issue,
then
we
do
have
another
issue
which
is
like
putting
together
a
blog
post
and
so
forth,
but
I
think
in
that
blog
post.
It
would
be
nice
to
say
you
know
this
is
the
way
it
is
here's
all
the
discussion
here
is
even
an
issue.
You
can
go
read
about
it,
but
this
is
what
we've
decided
to
do
for
now.
So
we
go
out
any
other
comments.
E
A
E
A
E
A
E
A
A
A
So
this
is
the
one
where
we
had
best
efforts
and
I
think
my
somebody
pointed
out
that
that
actually
can
cause
some
grief
legally
in
terms
of
best
effort
can
be
interpreted
as
trying
hard
and
somebody
could
legally
try
to
expand
performance.
So
there
was
a
bit
of
a
bike
shed
in
terms
of
names
manual.
C
C
C
You
know
that
one
to
me
seems
like
the
most
like
legally
non-binding
I
have
promised
nothing
to
you,
sort
of
a
phrasing
that
doesn't
actually
say:
I
promise,
nothing
so
I,
probably
something
but
no
nothing
yeah,
but
I
can't
be
helped.
Grant
yeah,
don't
hold
me
Liz,
but
I
was
right,
you
add,
and
I
will
completely
trying
to
do
it.
A
Yeah,
if
we
want
to,
if
we
we
could
ask
that
to
the
the
foundation
on
the
foundation
side,
like
of
these,
you
know,
is
there
may
be?
Is
there
a
concern
there
at
all?
We
could
even
ask.
A
So
maybe
that's
the
next
step
is
I
could
take
it
to
I.
Could
ask
the
question
to
see
if
we
could
get
it?
You
know
some
advice
from
the
foundation
side
is
like
you
know.
This
is
this
is
the
way
we've
got?
You
know,
we've
got
four
three
one.
This
is
the
concern
that
was
expressed.
You
know,
is
there
a
concern
here
and
is
there
a
recommendation
at
that?
Would
nudge
it
in
the
direction
of
any
one
versus
another.
C
I,
like
that,
we
had
a
vote
but
I'm
not
sure
it's
clear
to
everybody
who
might
have
an
opinion
about
it,
that
the
vote
was
occurring,
the
way
that
it's
currently
structured.
We
have
some
sort
of
other
link,
as
opposed
to
like
in
line
in
the
chat
that
we
could
share
in
the
channels
and
things
like
that
and
get
buy-in
from
people
who
may
or
may
not
be
involved
in
the
actual.
This
particular
pull
request
so
make
sense.
C
A
Could
do
that
we
will
like
we
will
go
to
a
next
round
when
we
publicize
it
more
broadly
right.
So
I
think
the
key
thing
is
to
make
sure
that
the
people
putting
this
together
aren't
comfortable
with
what
we've
got.
Yeah
I'm
just
I'm,
just
worried
the
more
you
know
we
can
go
abroad
on
every
single
thing,
but
then
that'll
that'll
stretch
things
out
and
I.
C
A
A
C
C
A
A
C
C
C
F
F
It's
also
worth
pointing
out
that
in
the
document
itself,
we
do
have
a
definition
of
what
it
means
right.
The
maintainer
is
interested
in
fixing.
There
should
be
no
expectation
on
response
times,
so
we
do
have
a
definition
of
that.
So,
as
the
key
word
itself
does
not
necessarily
carry
weight
because
we
do
have
so.
A
Right,
that's
a
fuss
affair,
okay
and
I'll.
Make
sure
to
include
that
in
what
I
send
that
says,
whichever
we
choose,
this
is
gonna,
be
the
description
which
defines
what
it
is:
okay,
cuz,
yeah.
That's
a
good
point.
You
know
you
I,
guess
it's
that
you
don't
necessarily
see
the
description
but
yeah.
Okay,
I'll
put
that
in
we'll
get
that
and
then
we
can
have
a
final.
This
is
what
they
said
either
there
is
a
concern,
not
concern.
Well,
what
do
we
want
to
choose.
C
Yeah
give
me
a
flashback
to
I,
saw
a
post
one
time
about
a
guy
getting
a
life
sentence,
because
country
code
made
it
into
a
doctor's
office
and
he
inadvertently,
you
know,
did
somebody
yeah
I
was
like
I.
Imagine
if
he
had
had
a
good
SLA
in
Ehsan
for
his
software.
Maybe
you
know
they
could
have
shared
the
blame
with
the
devs
or
something
like
that.
But
nope
just
imply
himself.
A
A
D
Yes,
I
think
with
what
what
I
did
when
I
started
on
that
is
I'm
coming
at
this,
so
I
know
what
we
want
to
do,
but
I
think
we
made
because
we've
been
engaged
for
this
for
a
year
or
so
when
I
started.
Writing
a
blog,
I
thinking
hang
on.
Most
of
people
coming
into
this
have
no
idea.
We
even
exist.
So
we
have
to
address
that
and
address.
Is
there
be
no
context
and
I?
We
started
off
from
stop
talking
about
what
we're
gonna
put
in
packaged
or
Jason
without
giving
the
broader
context.
D
So
what
I
needed
now
is
I
think
I've
got
like
at
the
broad
outline.
We
need
that
in
the
meat
of
it
which
I
think
I
might
I
may
need
again
a
call
with
a
manual,
and
maybe
yourself
and
just
get
it
down,
because
I
can
and
pass
Edgar.
We
can
write
pretty
fast,
but
we
need
more
context
now
for
getting
the
meat
and
potatoes
in
so
I'm.
Just
looking
at
I
was
just
looking
at
a
comment
from
I
think
Manuel.
He
did
is
nine
days
ago.
I'm
just
checking
yeah.
D
D
D
It's
one
of
those
things
I'm
not
quite
sure
if
it's
gonna
work
us
going
backwards
and
forward
because
back
with
the
shirt
but
I
think
that
I
think
he
actually
needs
I've
gotta
set
up
some
time
within
I'm,
quite
happy
to
sit
down
with
him
and
in
a
door
with
a
typing
or
whatnot
week
to
broaden
the
the
issue
because
essentially
Michael
what
I've
done
is
I've
done
a
very
broad,
inter
interaction,
but
I've
not
actually
gone
down
to
the
problems.
We're
trying
to
address
with
before.
A
D
A
A
D
A
Directly
I
think
the
next
one
like
Matteo,
has
been
involved
a
little
bit
in
terms
of
MQTT,
but
I
think
you
know
the
Express
has
been
the
one
we've
been
sort
of
the
most
active
on
and
probably
getting
through
that
one
in
the
boards
and
stuff.
You
know,
then
we
can
see
if
some
of
the
same
stuff
might
help
and
the
DEM
qtd
front
makes
sense.
I
yeah.
C
C
A
I
think
especially
if
we
had
somebody
from
some
of
the
other
packages
who
was
very
active
and
sort
of
helping
the
champion
and
push
it,
then
maybe
we
could
do
more
than
one,
but
in
the
current
state,
I
think
continuing
to
push
on
the
Express
side,
and
then
you
know
taking
what
we
learned
there
to
the
other
ones
would
make
more
sense.
Yep.
A
F
Had
a
call
with
Wesley
and
discussing
that,
and
then
he
created
that
issue
and
yeah
there's
I'm
looking
forward
to
actually
doing
some
more
work
on
that
specific
problem
and
and
the
problem
is
that,
if
you
want
to
publish
from
CI
there
is
no
way
to
enter
a
one-time
password
right
now
right.
There
is
no
way
to
provide
that
second
factor
you
neither
have
to.
F
B
A
Like
you
know,
I
can
see,
I
can
see
for
like
github
right.
You
know
you
get
us,
you
get
a
secret
which
you
can
use
as
an
alternative,
which,
maybe
you
don't
want
to
put
into
your
CI,
but
at
least
you
can
I
remember
there
was
at
least
one
implementation,
though,
where
you
just
couldn't
even
get.
You
didn't
necessarily
get
that
and
it
also
didn't
give
you
the
the
like
the
token
you
know
some
of
the
some
of
the
implementations
it
gives
you
both.
A
F
F
But
if
you
want
the
one-time
password
you
at
the
moment
in
NPM,
you
can
only
provide
it
via
command
line
or
we
can
put
it
in
India
mercy,
but
that's
kind
of
pointless
and
what
what
I've
been
working
on
towing
the
idea
that
was
that
was
before,
and
the
situation
changed.
So
what
I've
been
working
is
we
played
around
with
the
idea
of
having
a
service
which
you
can
call,
which
then
sends
a
notification
to
your
phone?
F
F
It
is
a
bit
fiddly
to
implement,
but
it
is
one
way
around
it.
The
problem
with
that
is
that
it's
something
that
Wes
raised
as
well
is
that
you
need
to
run
that
as
a
service
somewhere
right
and
while
reliant
on
some
provider
to
send
notifications,
and
there
are
two
ways
you
can
go-
you
can
go
through
firebase.
F
If
you
want
to
work
with
Google,
you
can
use
some
sort
of
a
third-party
provider,
but
that's
a
cost
right,
you're
running
service
and
you're,
maintaining
something
and
and-
and
you
cannot
delegate
that's
completely
to
a
third
party,
because
you
know
you're
giving
them
access
to
your
tokens.
Attention
which
sort
of
raises
concerns
right.
So
what
we've
developed
in
near
form
is
a
waa
where
in
your
phone
and
only
in
your
phone,
you
have
the
seed
and
you
can
respond
to
notifications.
F
But
that
doesn't
mean
yet
that
you
need
to
run
a
service
to
handle
the
actual
communication,
and
you
can
I
know
that
electron
have
a
similar
thing
and
they
do
the
notification
communication
through
slack.
So
you
can
sort
of
integrate
right
sea-ice
and
makes
a
request
to
slack
bot
says
you
know:
please
enter
OTP,
you
enter
OTP
slag.
What
responds-
or
at
least
that's
that's,
how
I
imagine
it
works.
I
haven't
actually
looked
at
the
code
just
yet
so
there's
these
are.
F
These
are
the
various
things
and
there's
also
various
authentication
providers
that
provide
similar
things
that
provide
a
second
factor
through
an
API
and
they
do
send
notifications,
so
there's
duo
mobile
not
to
be
confused
with
Google
dual,
which
is
it
completely.
This
duo
mobile
that
provides
a
an
OTP
thing.
I
think
Aussie
has
something
similar.
F
B
Aside
from
NPM
s
capacity-
and
you
know
roadmaps,
you
also
got
to
consider
the
number
of
available
registry
backends
out
there
and
whether
or
not
the
interoperability
of
those
things
will
make
sense
like
there
there's.
Definitely
a
lot
of
scenarios
that
we
know
of,
and
you
know
some
of
us
on
the
call
may
be
know
of
as
well
like
from
there
today,
where
you
would
be
using
both
the
public
registry
and
a
private
registry.
That's
either
hosted
or
managed,
or
whatever
kind
of
combination
of
the
above
so
like.
B
How
would
how
would
such
a
solution
work
if
the
source
of
truth
is
not
a
single
back-end
and,
or
you
know,
any
sort
of
middleware
technology
or
something
along
those
lines
is
not
facilitating
the
need
for
multi
registry.
So,
like
that's
a
challenge
of
course,
it's
not
a
challenge.
It
applies
to
everybody
bets,
definitely,
a
challenge.
That
is
real,
that
if
you
introduce
anything
that,
in
firms
or-
and
you
know,
makes
it
solid
opinions
about
how
this
would
work,
it
needs
to
work
across
the
board
universally.
B
So,
right,
aside
from
you,
know
what
we
might
or
might
not
be
able
to
do,
you
know,
or
not
from
like
the
NPM
official
registry
side
of
things
and
that's
kind
of
a
hindering
aspect
and
the
way
we
do
things
as
well
like
any
sort
of
change
we
introduced.
We
also
got
to
be
careful
about
not
breaking
everybody
else's
implementation
of
a
registry
interface
I
mean.
A
My
first
thought
as
well
as
this
doesn't
sound
NPM
specific
in
that
you
know,
if
I'm,
if
I'm
developer
and
I'm
publishing
packages
for
multiple
languages
I,
don't
necessarily
want
it
to
be
different
for
each
of
those
languages
right.
So
if
I'm
gonna
have
to
prove
a
publish
for
maven
or
a
publish
for
NPM
I
prefer
to
have
a
common.
You
know
whether
it's
the
slack
or
whatever.
It
is
as
opposed
to
something
which
is
like.
A
The
npm
map
I
got
to
have
the
maven
app.
I
got
to
have
that,
so
I
can
I
can
see
from
that
perspective.
It
also
makes
sense
to
say
you
know
if
there's
a
generic
solution,
then
you
know
like,
like
the
slack
ones
kind
of
interesting
in
that
you
know.
I
guess
you
could
have
like
I
mean.
Does
that
require
anything
on
the
NPM
side?
F
Yeah,
that's
that's
roughly
how
it
works.
You
do
have
to
have
an
intermediate
service
that
communicates
so
you
do
make
I'll
have
to
review
the
exact
details
of
the
electrons
internal,
implement
the
tool
they
use
internally,
they're
planning
to
open
sources
from
what
I
understand,
but
but
you
still
need
to
make
an
HTTP
request
from
your
CI
Brian.
Do
you
get
a
response
back
eventually
Brian.
A
That
seems
like
a
relatively
low
integrate
level
integration
point
in
that
like
if
it's
a
URL,
if
it
you
basically
have
some,
you
know,
there's
something
to
make
that
easy
in
your
CI,
then
the
backend
URL.
You
know
if
it's
something
that
just
posted
the
slack
and
you
get
the
answer
back
or
you
post
it
to
some
other
messaging
or
even
some
automated
app.
If
you
want
to
do
that
right.
B
Yeah
I
mean
I'll,
just
repeat
my
point
so
long
as
that
doesn't
break
your
ability
to
mix
and
match
things
on
the
backend
again.
It
doesn't
have
to
be
NPM
back-end
specific.
But
if
introducing
such
a
workflow
means
people
can't
use
their
private
registries
with
sono
type
or
J
frog
or
otherwise
until
such
that
those
back-end
HTTP
interface
is
also
implemented.
Then
it's
it's
so.
C
F
Exactly
this
is
a
separate
service
outside
of
stuff,
so
yeah,
the
actual,
the
the
way
you
do
it
from
CI.
That's
that's
one
way
to
go,
however:
I'm
a
better
revisit
that
an
issue
to
describe
yeah
okay
may
not
be
talking
about
the
same.
The
same,
the
same
thing
but
I,
say:
I,
see
what
you
mean
about
the
other
services,
but
if
they
don't
OTP
or
if
they
don't
provide
any
others
form
of
providing
the
OTP,
then
then
it's
a
separate
thing.
Yeah.
B
F
A
F
A
D
F
It's
a
matter
of
practicing
that
authentication
Authenticator
programmatically
from
CI,
but
yeah,
okay,
I'll,
try
to
rephrase
and
see
where
we
can
implement
the
other
option.
There
was
discussed
in
this
year
as
some
sort
of
stage
release
option
which
would
allow
you
to
publish
from
CI
and
then
to
approve
on
the
registry
itself
and
but
that's
probably
and
might
be
a
significant
change
there.
Yeah.
A
Yeah,
that's
kind
of
an
interesting
option
in
that
it
does.
Let's
I
guess
it
lets
you
decoupled
the
two
things
right:
sort
of
you'd
have
a
pending
published
and
then
you
could
go
in
and
say,
yeah!
Okay,
these
are
all
ones
I,
I,
understand,
I,
don't
know
what
I'ma
do
you
ever
thought
of
that
on
the
MPM
side
or.
A
A
D
F
And
because
that
that
also
gives
you
the
the
extension
of
of
handing
that
any
team
whereby,
if
you
have
multiple
owners
of
the
package
either
one
can
approve,
whereas
if
you're
doing
OTP,
then
you
have
to
have
the
token
and
you
have
to
know
exactly
who
is
making
the
publish,
which
means
more
work.
Yeah.
B
I
mean
that
still
doesn't
take
away
the
need
for
a
more
granule,
the
granular
level
of
published
token
management
and
to
a
fair
on
that
so
like
now
becomes
secondary
to.
If
that's
problem
is
solved
and
introduced
a
second
layer
of
pre
pre-release
packages
that
tokens
can
not
require
to
a
pay
for
solve.
B
Or
equally
can
also
again,
this
is
all
hypotheticals.
You
know
worthwhile
having
conversations
but
not
ones
that
have
happened
internally
yet,
but
you
can
eat
you
also
like
just
associate
that
with
semver
in
general.
On
the
same
as
a
rule,
anything
that's
major
requires
two
factor
authentication.
Anything,
that's
not
me
right
now
are,
depending
on
the
up
your
own
policy
for
your
own
team.
But
again
those
are
not
conversations
that
we
have
it's
interesting
that
we're
having
this
ideation
thing.
It's
probably
worth
taking
that
back
and
seeing
what
we
can
do
with
it.
A
F
A
F
A
Yeah
these
depends
like
zero
I'm,
Q
I,
think
like
serial
ports,
I,
don't
know,
but
fast.
If
I,
some
of
them,
though,
like
I
guess
it's
like,
is
there
anything
in
terms
of
helping
or
and
van
July's
about
people
being
ready
for
a
new
version,
which
is
what
these
are?
Some
of
them
I
think
our
native
modules,
though,
that
run
into
problems.
A
A
A
On
the
others,
I'm
not
sure,
there's
enough
info
in
this,
but
I
think
really.
The
answer
more
is
you
know,
can
we
think
of
things
that
we
should
be
doing
to
help
I
mean
part
of
it
part
of
our
testing
suggestions
or
around
testing
LTS
versions
and
current
encouraging
people
to
test
early
I
I.
Don't
think
like
in
terms
of
this
is
right
now
version
13.
We,
you
know,
there's
nothing.