> require that the crate content match the [commit] hash.
If you want to audit a crate, you don't need to require that it "matches" anything else, you can just audit the crate. Download the source tarball from the same URL that Cargo would and audit it. I think the problem with crates.io is that it just gives you the GitHub link (possibly misleading - bad!) and doesn't just give you a button to download or browse the tarball that Cargo actually uses (what you see is what you get).
Defining "matches" and enforcing it against a remote Git repository is non-trivial. It gets worse with NPM because those packages are sometimes the output of the Typescript compiler or Webpack, so now you need reproducible builds (a huge task) and a CI infrastructure to validate them. Nuget distributes .dll files, which often aren't even open source. There's no hope to enforce a correspondence with a Git repository there. A developer who wants to audit a Nuget package has no choice but to decompile it.
NPM clearly has a malware problem, and Cargo will eventually have one because it really wants to be like NPM. I'm not convinced that what you propose is the solution.
I think I remember discussing this briefly in #rust with you. It's clearly not the case that "everyone understands" how these package managers actually work, but I'd rather see the reality become more obvious than give up and shackle these package ecosystems to Microsoft even harder than they already are.
The situation is unfortunate, but the grievance is legitimate. I regularly have to provide tech support to users when shell scripts fail with a terse "Permission denied" trying to invoke Python because the Windows Store launcher is higher on %PATH% than the Python that they just installed.
It seems like in practice the biggest problem is "it got deleted", and everything else is about either preventing others from deleting your stuff or preventing yourself from deleting it out of laziness or frustration.
Deploying a web site with (S)FTP works as well as it ever did... and is just as obscure to non-technical people as it ever was. Ease of use means loss of control.
This is the case. With an addon that deletes most but not all homepage items or sidebar recommendations, YouTube does some noticeable spinning trying to fill the space which keeps getting emptied.
In this scenario you'd be losing all your backlogs and user registrations anyways, so why re-use the existing client with a stapled-on redirector over switching to something you can actually deploy yourself?
I recently ported an early-2000s 2D game to WebAssembly and old Asyncify was too clunky and the Emterpreter was too slow to be useful. To get things working comfortably I ended up porting the game loops to use Clang's support for the C++ coroutines TS, with a simple scheduler that yields control back to the browser after every screen flip. I will have to see if this new Asyncify can do any better.
MSYS2 has been distributing a native Windows port of bash for years; it's completely stable and works great (it's the one used in Git Bash). "Maturing quickly" refers to the reverse-Wine/integrated VM situation that MS is developing in WSL.
> purely because the internet companies are also content companies
I have no doubt this is a reason, but most ISPs also oversell their bandwidth. If every customer with a 10Mbit line is only using it 10% of the time, your upstream lines only 'need' to be 10% of 10Mbit * the number of customers (plus whatever margin for spikes).
It's senseless to store files that don't have user-facing meaning in My Documents. I know games that use it varyingly for web caches, shader caches, binary config files, debug logs, Lua scripts, downloaded mods, and even executables. And while arguably most gamers understand what save files are, they can't be double-clicked to open them, so I don't consider them documents (Maybe this is pedantic).
All this kind of stuff is what Appdata\Roaming and Appdata\Local are supposed to be for.
DVDs have region locking. The United States and Canada happen to be in the same region, and there are bypasses, but technical controls against importing digital goods are already normalized, and I doubt this analogy will convince policymakers.
I'd argue that it's the practice and not the principle of auto-updates which is unsound. Automatic security patches make a lot of sense in the current security climate, but once that infrastructure exists it is irresistible to use it for random feature creep and marketing.
The author means making compute time on the hardware available to run CI builds on their service. If you care about porting your software to RISC-V enough to want to test that software there, hardware is probably a more accurate harness than qemu.
Most YouTube copyright complaints are not actually DMCA complaints. The complainant is just asking YouTube nicely (whether that be manually, automated on their side, or automated on YouTube's side) and YouTube is complying of its own volition. 4J of their terms: "YouTube reserves the right to discontinue any aspect of the Service at any time."
This is basically what Netflix used to be before the existing distributors realized they wanted in on the new action. The same pattern is playing out in games as well, though slower. Origin, Uplay, Battle.net, and most recently Epic are all trying to cut in on Steam's dominance and using exclusives as leverage to do it.
If you want to audit a crate, you don't need to require that it "matches" anything else, you can just audit the crate. Download the source tarball from the same URL that Cargo would and audit it. I think the problem with crates.io is that it just gives you the GitHub link (possibly misleading - bad!) and doesn't just give you a button to download or browse the tarball that Cargo actually uses (what you see is what you get).
Defining "matches" and enforcing it against a remote Git repository is non-trivial. It gets worse with NPM because those packages are sometimes the output of the Typescript compiler or Webpack, so now you need reproducible builds (a huge task) and a CI infrastructure to validate them. Nuget distributes .dll files, which often aren't even open source. There's no hope to enforce a correspondence with a Git repository there. A developer who wants to audit a Nuget package has no choice but to decompile it.
NPM clearly has a malware problem, and Cargo will eventually have one because it really wants to be like NPM. I'm not convinced that what you propose is the solution.