Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The dependency management story (and noted by the author) is one where I wish people would just steal Java's approach.

1) Every package is namespaced 2) Namespaces are DNS names that you can prove you own

It eliminates typosquatting, and the drama of "someone created a bunch of helloworld crates just to grab the good package names"



I think Go's approach is similar - if you have a public repo, then whatever the DNS name is gives you a unique module name. For example, both of these modules can exist, and I can import both into a given Go project:

github.com/rs/zerolog

mysite.com/myforks/zerolog


“foo.int” is a valid domain but is not possible to use as a Java namespace. What do you do when your company gets bought or changes names? (com.sun.whatever vs. com.oracle.whatever)


Yeah, not a valid Java package name, but can still be used as a group id for your artifact although it'd feel a tad odd.

Sorry, I realise I've been overloading package to mean "dependency you download" (I'll stick to artifact now) when package has an existing meaning in Java, and I'm muddying the waters a tad there.

There's no requirement for Java package names in an artifact to match the group id. E.g.,

> my-domain.com -> com.my-domain (NOTE: The groupId should reverse the domain name exactly, even if the domain name contains hyphens or other characters that would result in an invalid Java package name. Hyphens are perfectly acceptable in groupIds, and you would not need to change your Java package name to match it)

https://central.sonatype.org/publish/requirements/coordinate...

> com.sun.whatever

Oracle owns sun.com and runs artifacts that use that group id prefix, so yeah, when you get bought or change names, you can just keep the old name up and running. If you can't, or don't want to, I have seen some projects change group id, and there's tooling for artifact publishers to do so in a way that doesn't break end users, it's a bit clunky, but doesn't tend to occur that often. https://maven.apache.org/guides/mini/guide-relocation.html

Having artifact group id tied to DNS names isn't super-duper flexible, but it offers some assurance that the dependency you're introducing is published by the people you think, so attackers can't easily steal crypto wallet info by publishing pandass pndas pandsa to catch people who typoed pandas etc. etc.


I think that requirement applies to the maven central GroupID, which may or may not be related to the Java package name.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: