On 13/11/14 15:56, Martin Geisler wrote:

> Maybe a silly question, but why insist on this? Why would you insist on
> installing a JavaScript based application using your package manager?
> 
> I'm a huge fan of package managers and typically refuse to install
> anything globally if it doesn't come as a package.
> 
> However, the whole JavaScript ecosystem seems to be centered around the
> idea of doing local installations. That means that you no longer need
> the package manager to install the software -- you only need a package
> manager to install the base system (NodeJs and npm for JavaScript).
Yeah, I understand you.

But: doing local installs or: installing things aside a package manager
means, that software is not maintained, or properly updated any more.
I'm a huge fan of not bundling stuff and re-using libraries from a
central location. Copying foreign code to your own codebase is quite
popular in JavaScript world. That doesn't mean, it's the right thing to do.

Having a package manager pulling updates for your system (rather than
various applications trying to update themselves) is a big feature.

Just try to keep your windows system up to date: how many different
update tools do you need to use? Are you sure, you really got all?
Look at node.js CVEs listed in another mail to this thread. They were
all due to copying foreign code into their code base.

Matthias

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to