See this thread from Hacker News on the lack of canonical best practices for use of packaging/deployment in Python and Ruby (subthread https://news.ycombinator.com/item?id=7802228 ):
https://news.ycombinator.com/item?id=7802005
note situations like subthread https://news.ycombinator.com/item?id=7804129
in Oot we need to make such problems go away by focusing core dev effort on these things when such problems arise.
--
https://github.com/Microsoft/nodejs-guidelines/blob/master/windows-environment.md#max_path-explanation-and-workarounds
" MAX_PATH explanation and workarounds
For the uninitiated, MAX_PATH is a limitation with many Windows tools and APIs that sets the maximum path character length to 260 characters. There are some workarounds involving UNC paths, but unfortunately not all APIs support it, and that's not the default. This can be problematic when working with Node modules because dependencies are often installed in a nested manner. "
---
to fight library typosquatting (eg urllib vs. urrlib3, bzip vs. bzip2, etc):
- have some level of approved-ness where we DO do a quick human check for obvious typosquatting or impersonating (esp of stdlib or popular packages), but don't actually review the code
- the user has to do something special to permit installs that don't do have at least this level of checking
- if typosquatting is found, announce it on the repo's blog and/or twitter etc
- installer shouldn't need root access
- arbitrary code shouldn't be executed at package install (or remove) time and maybe not even at import time (may need some metaprogramming at import time tho)
- consider using TUF (The Update Framework) signing into the OCaml OPAM package manager. See https://github.com/hannesm/conex-paper/blob/master/paper.pdf
- and in any case need some code signing
- "It needs to be easy for developers to open source their code, and to mark dependencies with precise commit hashes, but the download also needs to be secure and verifiable."
- "OPAMv2 also exposes sufficient hooks during the build process for using OS sandboxing during builds, and disconnecting network access/etc. It would be nice to factor this out to be more OS independent (e.g. for all the `unshare` tricks on Linux, or the sexp-format for sandboxing on OSX) in the future."
---
this looks like a really good way to do packaging:
https://yakking.branchable.com/posts/what-and-why-nix/
---