Maybe this is a case where having a centralized registry does pay off?
1 Like
Yea, I think a mitigation that could work would be to select which package to download using the author’s name and the package’s name
So like install zenith391/zgt would be enough to prevent most problems
2 Likes
the typo shadowing was one thing, but bigger part is why does a library about decimal math need internet or file system access??? as long as our computer systems are designed to hand out privliged access willynilly things like this are gonna happen.
3 Likes
how do i install libs on zig
There’s no official package manager yet, although there are some very good options developed by the community like zigmod and gyro. You can also add dpendencies manually via the robust Zig build system, covered most excellently in this series.
1 Like
that’s a good point imo, for example golang has a (almost) fully decentralized package system and this doesn’t seem to happen too often I think partially because package names are fully qualified