HN2new | past | comments | ask | show | jobs | submitlogin

there's a big gap between "meh it's okay" and "pypi really goes above and beyond to serve the package developers and the users too".

it's strange (unexpected? totally expected? sad?) that the for profit npm (which started out as the butt of every supply chain joke) seems the most dev friendly.

eg. npm has namespaces (and neither pypi nor rust's crates.io does. and the Rust dev experience is usually considered sublime, and the whole decision making in Rust land is [was?] very dev-driven)



> which started out as the butt of every supply chain joke

Mostly because 99% of developers knows nothing about supply chain attacks and leftpad blew up.

Both npm and rust should force 2FA. Thankfully, crates.io forces github SSO, and github will eventually force 2FA.


> Thankfully, crates.io forces github SSO.

Ouch. That must be difficult for any Rust package maintainers whose GitHub accounts were deleted a few months ago due to the Russian war sanctions.


Yes, Putin is a piece of shit, unfortunately.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: