I think a healthy middle ground would be having a prominent community run package resource that users could submit their own packages and provide links to their Git, Fossil, Hg repos. The service could then pull information from the repos, letting users search for packages, see how maintained they are, and install what they expect.
Hare’s pretty cool but I disagree with the core team about not having a package manager. It’s unrealistic to expect every developer to roll their own HashMap or web server. Depending on distro package managers has faults too. Many distro package managers have poor discoverability. How do you know what library you need without Googling through unrepeatable tutorial sites?
If you’re interested in Hare, a super new low-level go/c/rust inspired language check out my ANSI terminal colors lib https://GitHub.com/TristanIsham/color
If anyone’s a Rust developer could you help me debug a “Expected expression, found ‘}’” issue? https://github.com/tristanisham/inert/issues/1
I’d like it if the Go linker/compiler would hash personal information like file paths in the final build so as to maintain the convince of all the information, but without that potential risk.
But, for programs that might put users in danger like VPNs in Iran or encrypted messengers in Russia. Having that kind of information packaged in a dispensable binary could put the author at risk and help authoritarians mitigate peoples freedom.
This info is fine to include in practice. It makes authenticating legitimate binaries easier, package management simpler, and there’s no harm in having function names be public.