<div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Mon, Feb 12, 2018 at 6:58 PM Joe Armstrong <<a href="mailto:erlang@gmail.com">erlang@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I have said on many occasions that code should be named by the SHA1 checksum of<br>
the content - as far as I know this would not offend people - apart<br>
from those who<br>
thought the name could be a tad simpler.<br>
<br></blockquote><div><br></div><div>I might have said this before, but here goes:</div><div><br></div><div>Using a cryptographic checksum for a package and then pointing the name to the checksum would have saved Node.js npm package manager a lot of headaches when people remove, rename or otherwise destroy packages.</div><div><br></div><div>It also allows you to comply with legal requests with a sunset period. As in "I hear you, and the name will be given to you. But we give people 6 months time to upgrade before we remove the old checksummed packages".</div><div><br></div><div>I'm interested in why someone did not try this yet. Or if one tried, why it didn't work out. It seems very obvious to build a content-addressable-store for your packages.</div></div></div>