Something to consider when thinking about package management for a language

Maybe this is a case where having a centralized registry does pay off?

1 Like

Yea, I think a mitigation that could work would be to select which package to download using the author’s name and the package’s name
So like install zenith391/zgt would be enough to prevent most problems

2 Likes

the typo shadowing was one thing, but bigger part is why does a library about decimal math need internet or file system access??? as long as our computer systems are designed to hand out privliged access willynilly things like this are gonna happen.

3 Likes

how do i install libs on zig

There’s no official package manager yet, although there are some very good options developed by the community like zigmod and gyro. You can also add dpendencies manually via the robust Zig build system, covered most excellently in this series.

that’s a good point imo, for example golang has a (almost) fully decentralized package system and this doesn’t seem to happen too often I think partially because package names are fully qualified