On Fri, Apr 01, 2016 at 20:42:57 +0200, Fabio Pesari wrote: > The recent left-pad fiasco on NPM just showed that in order for free > software to be reliable, it must be stored permanently (since the > license allows it). > > Github, the most popular project hosting platform at the moment, allows > users to delete their repositories.
The NPM issue is a little bit different. NPM is a place where packages are published for use by a package manager (npm); its sole purpose is distribution. That's similar to running `make dist` and uploading GNU packages to ftp.gnu.org. In this case, you wouldn't want those packages to disappear---people rely on them. Same case with packages on NPM. Git repositories are source code repositories and are not necessarily distributions---especially if a build process is needed. Now, some people do use sites like GitHub for distributing packages. Whether or not I agree with that practice is irrelevant for this conversation, I suppose; but in the case there they use GitHub to distribute their package for installation or compilation, then moving it isn't a great idea. But if it's just a source code repository to a project that distributes its packages elsewhere, I don't see that as a problem. For example, a project may move its development elsewhere (e.g. GitHub to Gitlab), but keep its distribution files on the same server. Granted, we do have other unfortunate practices. For example, some language-specific package managers support cloning directly from source code repositories. Git's submodule support takes a direct repository URI. Situations like that complicate things. So I think it's more nuanced. I think it's fair to say that if a project explicitly states a distribution site, then it should be free to move its source code repository as it pleases, and that language-specific package managers have an obligation to use those distribution files. Otherwise, they should accept the risk of things breaking. Same case with submodules. As an example for my project, users should get GNU ease.js distributions from ftp.gnu.org, as stated by the site and release announcements. But they can also clone the Git repository from Savannah, or a mirror on Gitlab and GitHub. I offer no guarantees that the GitHub repository won't disappear some day---in fact, I can more confidently state that it might disappear than not. The description on the GitHub repository states "Mirror". I feel no obligation to keep that repository there, even if it didn't say "Mirror". -- Mike Gerwitz Free Software Hacker | GNU Maintainer & Volunteer https://mikegerwitz.com FSF Member #5804 | GPG Key ID: 0x8EE30EAB
signature.asc
Description: PGP signature
