> require that the crate content match the [commit] hash.
If you want to audit a crate, you don't need to require that it "matches" anything else, you can just audit the crate. Download the source tarball from the same URL that Cargo would and audit it. I think the problem with crates.io is that it just gives you the GitHub link (possibly misleading - bad!) and doesn't just give you a button to download or browse the tarball that Cargo actually uses (what you see is what you get).
Defining "matches" and enforcing it against a remote Git repository is non-trivial. It gets worse with NPM because those packages are sometimes the output of the Typescript compiler or Webpack, so now you need reproducible builds (a huge task) and a CI infrastructure to validate them. Nuget distributes .dll files, which often aren't even open source. There's no hope to enforce a correspondence with a Git repository there. A developer who wants to audit a Nuget package has no choice but to decompile it.
NPM clearly has a malware problem, and Cargo will eventually have one because it really wants to be like NPM. I'm not convinced that what you propose is the solution.
I think I remember discussing this briefly in #rust with you. It's clearly not the case that "everyone understands" how these package managers actually work, but I'd rather see the reality become more obvious than give up and shackle these package ecosystems to Microsoft even harder than they already are.
The situation is unfortunate, but the grievance is legitimate. I regularly have to provide tech support to users when shell scripts fail with a terse "Permission denied" trying to invoke Python because the Windows Store launcher is higher on %PATH% than the Python that they just installed.
It seems like in practice the biggest problem is "it got deleted", and everything else is about either preventing others from deleting your stuff or preventing yourself from deleting it out of laziness or frustration.
Deploying a web site with (S)FTP works as well as it ever did... and is just as obscure to non-technical people as it ever was. Ease of use means loss of control.
This is the case. With an addon that deletes most but not all homepage items or sidebar recommendations, YouTube does some noticeable spinning trying to fill the space which keeps getting emptied.
In this scenario you'd be losing all your backlogs and user registrations anyways, so why re-use the existing client with a stapled-on redirector over switching to something you can actually deploy yourself?
I recently ported an early-2000s 2D game to WebAssembly and old Asyncify was too clunky and the Emterpreter was too slow to be useful. To get things working comfortably I ended up porting the game loops to use Clang's support for the C++ coroutines TS, with a simple scheduler that yields control back to the browser after every screen flip. I will have to see if this new Asyncify can do any better.
MSYS2 has been distributing a native Windows port of bash for years; it's completely stable and works great (it's the one used in Git Bash). "Maturing quickly" refers to the reverse-Wine/integrated VM situation that MS is developing in WSL.
If you want to audit a crate, you don't need to require that it "matches" anything else, you can just audit the crate. Download the source tarball from the same URL that Cargo would and audit it. I think the problem with crates.io is that it just gives you the GitHub link (possibly misleading - bad!) and doesn't just give you a button to download or browse the tarball that Cargo actually uses (what you see is what you get).
Defining "matches" and enforcing it against a remote Git repository is non-trivial. It gets worse with NPM because those packages are sometimes the output of the Typescript compiler or Webpack, so now you need reproducible builds (a huge task) and a CI infrastructure to validate them. Nuget distributes .dll files, which often aren't even open source. There's no hope to enforce a correspondence with a Git repository there. A developer who wants to audit a Nuget package has no choice but to decompile it.
NPM clearly has a malware problem, and Cargo will eventually have one because it really wants to be like NPM. I'm not convinced that what you propose is the solution.